Collaborative TCP Sequence Number Inference Attack mdashHow to Crack Sequence Number Under A Second

Zhiyun QianDepartment of EECSUniversity of Michigan2260 Hayward StreetAnn Arbor MI USA

zhiyunqumichedu

Z Morley MaoDepartment of EECS

University of Michigan2260 Hayward StreetAnn Arbor MI USA

zmaoumichedu

Yinglian XieMicrosoft Research

Silicon Valley1288 Pear Avenue

Mountain View CA USAyxiemicrosoftcom

ABSTRACTIn this study we discover a new class of unknown side chan-nels mdash ldquosequence-number-dependentrdquo host packet countersmdash that exist in LinuxAndroid and BSDMac OS to enableTCP sequence number inference attacks It allows a pieceof unprivileged on-device malware to collaborate with anoff-path attacker to infer the TCP sequence numbers usedbetween a client and a server leading to TCP injection andhijacking attacks We show that the inference takes in com-mon cases under a second to complete and is quick enoughfor attackers to inject malicious Javascripts into live Face-book sessions and to perform malicious actions on behalf of avictim user Since supporting unprivileged access to globalpacket counters is an intentional design choice we believeour findings provide important lessons and offer insights onfuture system and network design

Categories and Subject DescriptorsD46 [Operating Systems] Security and Protec-tionmdashInformation flow controls C25 [Computer-Communication Networks] Local and Wide-Area Net-worksmdashInternet (eg TCPIP)

General TermsSecurity Experimentation

KeywordsTCP hijacking TCP sequence number Network packetcounters

1 INTRODUCTIONSince TCP was not originally designed for security for

years it has been patched to address various security holesamong which the randomization of TCPrsquos initial sequencenumber (ISN) introduced in RFC1948 [7] in 1996 was an

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page To copy otherwise torepublish to post on servers or to redistribute to lists requires prior specificpermission andor a feeCCSrsquo12 October 16ndash18 2012 Raleigh North Carolina USACopyright 2012 ACM 978-1-4503-1651-41210 $1500

important one It was proposed to guard against off-pathspoofing attacks attempting to inject packets with forgedsource addresses (for data injection or reset attacks) [78] ISN randomization prevents easy prediction of sequencenumbers thus arbitrarily injected packets are likely to bediscarded at the receiver due to invalid sequence numbers

The patch has largely rendered most sequence-number-guessing-based attacks very hard to succeed However inrecent years new attacks are reported In 2007 a studyreported in Phrack magazine [1] has revisited the problemand claimed that TCP sequence number can still be inferredbased on how a host treats in-window and out-of-window in-coming packets However the scope of this attack is ratherlimited primarily targeting long-lived connections with arather low success rate (as shown in sect33) In 2012 re-searchers have discovered that the sequence number infer-ence attack can be more generally applicable impacting evenshort-lived HTTP connections [26] However this attackheavily relies on the presence of sequence-number-checkingfirewall middleboxes deployed in the network Specificallythe idea is that if a packet has passed the sequence-number-checking firewall then it implies that the sequence numberof the packet is considered within a legitimate window

Our work generalizes these attacks by eliminating thestrong requirements imposed on them to enable a broaderclass of attacks Specifically we make the following key con-tributionsbull Building on the threat model presented in the recentwork [26] we generalize the sequence number inference at-tack by demonstrating that it can be reliably carried outwithout the help of the firewall middleboxes Our work pro-vides further evidence that relying on TCP sequence numberfor security is not an optionbull Distinct from the ldquoerror countersrdquo (eg packets rejecteddue to old timestamps) used in the previous study [26]which serves only as an indication of whether a packet isallowed to pass through the sequence-number-checking fire-wall we discover a new class of packet counters mdashldquosequence-number-dependentrdquo counters in LinuxAndroid (1 counter)and BSDMac OS (8 counters) mdash that can directly leak se-quence numbers without requiring the presence of firewallmiddleboxes thereby elevating the danger of TCP injectionand hijacking attacksbull We are able to complete the sequence number inferencewithin 4ndash5 round trips which is much faster than the onepreviously proposed [26] due to both the property of newlydiscovered ldquosequence-number-dependentrdquo counters as well as

a more efficient probing scheme For instance we show thatit takes as little as 50ms to complete the inference two or-ders of magnitude faster than previous method It can eveneliminate the need of conducting additional TCP hijackingattacks required before resulting in a much higher attacksuccess rate (See sect51)

As a proof-of-concept demonstration we show that ourattack allows a piece of unprivileged malware on Androidsmartphones to hijack a Facebook connection replacing thelogin page or injecting malicious Javascripts to post newstatus on behalf of the victim user or performing other ac-tions All these attacks (except the TCP hijacking attack)work on the latest Linux kernel TCP hijacking requires ker-nel versions earlier than 302 which are still the case for themajority of the Android phones Besides AndroidLinux wealso demonstrate that the attack is applicable to the latestBSDMac OS We believe our work presents an importantmessage that todayrsquos systems still expose too much sharedstate with poor isolation

The rest of the paper is organized as follows sect2 thor-oughly describes the related work sect3 explains how to inferTCP sequence number (including both previous study andour discovery) sect4 covers how we can leverage the sequencenumber inference as a building block to conduct a number ofTCP attacks sect5 shows several cases studies demonstratingthe impact on specific applications sect6 discusses why theproblem occurred and concludes

2 RELATED WORKTCP sequence number inference attack By far

there are only a few reported TCP sequence number in-ference attacks The first one goes back to 1999 where aTCP stack bug causes the kernel to silently drop the thirdpacket during ldquothree-way handshakerdquo if the ACK number issmaller than the expected ACK number and sends a resetotherwise [4] This allows an attacker to send spoofed ACKpackets and infer the correct ACK number This minor bugwas quickly fixed Besides it there are three other closelyrelated studies One of them is described in the Phrackmagazine [1] that uses the IPID side channel on Windowsto infer both the server-side and the client-side TCP se-quence numbers According to our empirical results suchattack is theoretically possible but very hard to carry outIt can succeed under rather limited conditions due to a largenumber of packets required as well as the noisy side-channelthat is leveraged Following the same direction a more re-cent work [20] improves the reliability of the attack by re-quiring certain control on the client (eg javascript throughbrowser) yet it still relies on the noisy IPID side channelavailable on Windows only

A closely related recent work [26] discusses how sequence-number-checking firewall middleboxes can leak the TCP se-quence number state stored on the firewall The idea isthat if a packet has passed the sequence-number-checkingfirewall it implies that the sequence number of the packet isconsidered within a legitimate window Otherwise it impliesthat the packet has an out-of-window sequence number Asa result if an attacker can observe whether a spoofed packethas passed the firewall he will be able to know if a guessedsequence number is correct To do so an attacker can in-tentionally craft a spoofed packet with certain errors (egold timestamp) and then leverage the error packet coun-ters on the host (eg packets rejected due to old times-

tamps) to tell if a spoofed packet has passed the firewalland reached the end-host In our work we make a ma-jor improvement by eliminating the requirement of firewallmiddleboxes altogether with the help of a class of ldquosequence-number-dependentrdquo packet counters that we discover Inaddition to a more general attack model we also show sig-nificant improvements on success rate and attack speed withmuch lower network resource requirements

Other TCP-sequence-number-related attacks (1)TCP sequence number prediction attack Different fromTCP sequence number inference attack the prediction at-tack relies on the non-randomness of TCP Initial SequenceNumbers (ISN) [25 2] To defend the attack RFC1948 [7]standardizes the ISN randomization behavior such that dif-ferent connections should generate random sequence num-bers independently (2) Blind TCP RST attack Due to thefact that a connection will be reset as long as the sequencenumber of the reset (RST) packet falls in the current receivewindow in a long-lived connection (eg a BGP session) anattacker can brute force all possible target connections andsequence number ranges [8 32] to cause denial of service

Smartphone-based attacks There have been a num-ber of attacks against smartphones many of which focus onleaking sensitive information [15 16 28] In addition thereis a class of privilege escalation attacks on Android [17 1914] but they are limited to gaining permissions that typi-cally cannot affect the behavior of other applications Forinstance one application may gain the permission of readingthe contact list or GPS location through other colluding orvulnerable apps but it cannot tamper with the TCP connec-tion of other applications given the OSrsquos sandboxing mecha-nisms Our study demonstrates that injection and hijackingof TCP connections can be achieved without requiring anyspecial permission other than the permission to access theInternet

Side-channel information leakage A wide range ofside channels have been investigated before CPU powershared memoryfiles and even electromagnetic waves etcResearchers have found that it is possible to construct vari-ous attacks eg to infer keystrokes through many side chan-nels [30 33 29 13 18] It is especially interesting to see howsmartphones can allow malware to infer sensitive informa-tion through on-board sensors (which can also be consideredas side-channels) For instance Soundcomber [28] uses theaudio sensor to record credit card numbers entered throughkeypad In our work we also rely on side-channels on thehost but the attacks infer information at the network-layer

3 TCP SEQUENCE NUMBER INFER-ENCE ATTACK

The ultimate goal of the attack is to inject malicious TCPpayload into apps running on a victim smartphone or clientdevice It is achieved by a piece of unprivileged on-devicemalware collaborating with an off-path attacker on the In-ternet The main implication of this attack is that websitesthat do not use HTTPS will be vulnerable to various at-tacks such as phishing and Javascript injection because theHTTP response can be potentially replaced Even if HTTPSis used they are still vulnerable to connection reset attacksas we show that the sequence number can be quickly inferredin under a second

1

(Y Y + WIN)

Probing

Packets

2 Feedback

Figure 1 Threat model

31 Threat ModelThe threat model is illustrated in Figure 1 There are

four main entities (1) The victim smartphone and a targetapplication constituting the attack target (2) The legiti-mate server which talks to the victim smartphone using anunencrypted application-layer protocol (eg HTTP) Theserver can also become the attack target (see sect5) (3) Theon-device malware which is unprivileged and cannot tam-per with other apps directly (4) The off-path attacker whois capable of spoofing the IP address of the legitimate serverand the victim smartphone The off-path attacker and themalware collaborate to infer the correct TCP sequence num-ber of the connection established between the target app andthe legitimate server Note that different from the threatmodel described in the recent study [26] this attack doesnot require the network firewall middlebox making our at-tack model much more general

At a high level as shown in Figure 1 the off-path at-tacker needs two pieces of information (1) the four tuplesof a target connection ie sourcedestination IP addressesand sourcedestination port numbers and (2) the correct se-quence number The on-device malware can easily identifythe current active connections (eg through netstat) butit does not know the sequence number in use In this at-tack model the off-path attacker can send probe packetsusing the target four tuples with different guessed sequencenumbers The unprivileged malware then uses certain side-channels to provide feedback on whether the guessed se-quence numbers are correct Guided by the feedback theoff-path attacker can then adjust the sequence numbers tonarrow down the correct sequence number

32 Packet Counter Side ChannelsIn this study we look at a particular type of side chan-

nel packet counters that can potentially provide indirectfeedback on whether a guessed sequence number is correctIn Linux the procfs [24] exposes aggregated statistics onthe number of incomingoutgoing TCP packets with certainproperties (eg wrong checksums) Alternatively ldquonetstat-srdquo exposes a similar set of information on all major OSesincluding Microsoft Windows Linux BSD Mac OS andsmartphone OSes like Android and iOS Since such coun-ters are aggregated over the entire system they are gener-ally considered safe and thus accessible to any user or pro-gram without requiring special permissions The IPID side-channel [27] can be considered as a special form of packetcounter that records the total number of outgoing packetssince it is incremented for every outgoing packet Howeversuch side-channel is nowadays only available on MicrosoftWindows and is typically very noisy

Even though it is generally perceived safe we show thatan attacker can correlate the packet counter update with

how the TCP stack treats a spoofed probing packet witha guessed sequence number Different from the recentwork [26] that uses certain ldquoerror countersrdquo as an indica-tion of whether a spoofed packet has passed the sequence-number-checking firewall middlebox our hypothesis is thatthe TCP stack may increment certain counters when theguessed sequence number is wrong and remain the samewhen it is correct or vice versa Such counters can directlyleak sequence numbers without the help of the firewall mid-dlebox and are thus named ldquosequence-number-dependentcountersrdquo (details in sect34 and sect35) To investigate such apossibility we first need to understand how TCP stack han-dles an incoming TCP packet and how various counters areincremented during the process

33 TCP Incoming Packet ValidationIn this section we provide background on how a standard

TCP stack validates an incoming packet that belongs to anestablished TCP connection Specifically we use the sourcecode of the latest Linux kernel 326 (at the time of writing)as reference to extract the steps taken and checks performedon an incoming packet (the packet validation logic is sta-ble since 2628) Based on the source code we summarizeldquosequence-number-dependentrdquo side-channels on Linux andextend it to BSDMac OS

Error check

Sequence number

check

Ack number

check

0-payload check

In-window

Valid

Pass

Fail

Out-of-window

Invalid

0-payload

Payload gt= 1

Error

counter++

tcp_send_dupack()

Drop

Ignore

Accept

Retransmission

check

Not retransmission

RetransmissionImmediate

ACK

Figure 2 Incoming packet validation logic

As we can see in Figure 2 there exist five main checksperformed by Linux TCP stack based on the correspondingsource code as well as our controlled experiments Thesechecks are performed for any incoming TCP packet that isdeemed to belong to an established connection based on thefour tuples

(1) Error check is for the purpose of dropping invalidpackets early on There are a number of specific error checks1) MD5 option check 2) timestamp option check 3) packetlength and checksum check Each has a corresponding errorpacket counter If a specific error is caught the correspond-ing host packet counter is incremented and the packet is notinspected further Otherwise it goes to the next step

(2) Sequence number check is the most relevant checkIt basically checks if a packet is in window by making surethat the ending sequence number of the incoming packet islarger than or equal to X and the starting sequence number

is smaller than or equal to X+rcv win where X is the nextexpected sequence number and rcv win is the current re-ceive window size If the sequence number is out of windowit triggers an immediate duplicate acknowledgment packetto be sent back indicating the correct sequence number thatit is expecting Otherwise the next check is conducted

(3) Acknowledge number check is an additional validitycheck on the packet A valid ACK number should theoreti-cally be within [Y Y+outstanding bytes] to be consideredvalid Here Y is the first unacknowledged sequence num-ber and outstanding bytes is total number of outstandingbytes not yet acknowledged Linux has a relaxed implemen-tation which allows half of the ACK number space to beconsidered valid (we discuss its impact later) If the ACKnumber is considered invalid then it is dropped withoutfurther processing Else the packet goes through the laternon-validity-related checks

(4) At this point the packet has the correct sequencenumber and the ACK number The stack needs to check if ithas any payload If it does not have any payload the packetis silently ignored unless there happens to be pending datathat can be piggybacked In particular the host cannot sendanother 0-payload acknowledgment packet for the 0-payloadincoming ACK packet which will create endless TCP ACKstorm [23]

(5) If the packet has non-zero payload the final check isto detect retransmission by checking if the ending sequencenumber of the packet is smaller than or equal to the nextexpected sequence number If so it does not process thepacket further and immediately sends an ACK packet to in-form the other end of the expected sequence number Sincestep 2 has already ensured that the ending sequence numbercannot be smaller than the next expected sequence numberthe only possible ending sequence number that can satisfythe retransmission check is the one equal to the next ex-pected sequence number

From the above description on how a TCP packet is han-dled it is not hard to tell that depending on whether thesequence number is in or out of window the TCP stack maybehave differently which can be observed by the on-devicemalware Specifically if it is an out-of-window packet with0-payload it most likely will not trigger any outgoing packetHowever if it is an in-window packet it immediately trig-gers an outgoing duplicate ACK packet As a result it ispossible to use the counter that records the total number ofoutgoing packets to tell if a guessed sequence number is inwindow

A similar observation has been made by the previousstudy in the Phrack magazine [1] The problem with theirapproach to infer sequence number is that such generalpacket counters can be very noisy mdash there may be back-ground traffic which can increment the system-wide outgo-ing packet counters It is especially problematic when thereceive window size is small mdash a large number of packetsneed to be sent and the probing is very likely to have limitedsuccess In fact we have implemented such sequence num-ber inference attack on a smartphone at home connectedto the broadband ISP through WiFi with 10Mbps down-link bandwidth Through 20 repeated experiments we findthat the inference always failed because of the noise of thebackground traffic

It is also worth noting that the error checks are performedat the very beginning preceding the sequence number check

which means that the corresponding error counters used bythe recent study [26] alone cannot provide any feedback ona guessed TCP sequence number

34 Sequence-Number-Dependent Counter inLinux

The reason why the Phrack attack [1] is difficult to carryout is two-fold (1) The required number of packets is toolarge an attacker needs to send at least one packet per re-ceive window in order to figure out the right sequence num-ber range (2) The counter that records the total number ofoutgoing packets is too noisy Subsequently we show thatboth problems can be addressed by using a newly discov-ered set of sequence-number-dependent packet counters thatincrement when the sequence number of an incoming packetmatches certain conditions

if (TCP_SKB_CB(skb)-gtend_seq = TCP_SKB_CB(skb)-gtseq

ampamp before(TCP_SKB_CB(skb)-gtseq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)hellip

Figure 3 tcp send dupack() source code snippet in Linux

Server-side sequence number inference We closelystudy the function tcp send dupack() which is called af-ter the sequence number check (depicted in Figure 2)Within the function we discover an interesting piece ofcode shown in Figure 3 The ldquoifrdquo condition says if thepacketrsquos starting sequence number is not equal to its end-ing sequence number (ie the packet has nonzero pay-load) and its starting sequence number is ldquobeforerdquo the ex-pected sequence number then a packet counter named De-layedACKLost is incremented (which is publicly accessiblefrom procnetnetstat) This particular logic is to detectlost delayed ACK packets sent previously and switch fromthe delayed ACK mode into the quick ACK mode [12] Thepresence of an oldretransmitted TCP packet is an indica-tion that the delayed ACKs were lost

The question is how ldquobefore()rdquo is implemented In Linux(and Mac OS) it basically subtracts an unsigned 32-bit in-teger from another unsigned 32-bit integer and converts theresult into a signed 32-bit integer This means that half ofthe sequence number space (ie 2G) is considered beforethe expected sequence number For instance two unsignedintegers 1G minus 2G would lead to an unsigned integer 3GWhen converting to an signed value we obtain -1G

The net effect of the tcp send dupack() is that it allows anattacker to easily determine if a guessed sequence numberis before or after the expected sequence number Since theDelayedACKLost counter very rarely increments naturally(See sect38) an attacker can use this counter as a clean andreliable side-channel

Binary search Using this special counter it is straight-forward to conduct a binary search on the expected sequencenumber Note that the process is significantly different thanthe one proposed in the earlier work [26] in that the earlierwork still requires sending one packet per ldquowindowrdquo whichresults in a total of thousands or tens of thousands of pack-ets Here as illustrated in Figure 4 the attacker only needsto send one packet each round and only a total of 32 packetsresulting in hardly any bandwidth requirement

Specifically as shown in the figure in the first iterationthe attacker can try the middle of the sequence number space(ie 2G) If the expected sequence number falls in the firsthalf (ie bin 1) the DelayedACKLost counter incrementsby 1 Otherwise (ie if it falls in bin 2) the counter remainsthe same Suppose the attacker finds that the expected se-quence number is in the first half after the first iteration inthe second iteration he can try 1G to further narrow downthe sequence number After log2 4G = 32 rounds (also 32packets) the exact sequence number can be pinpointed Thetotal inference time can be roughly calculated as 32timesRTT In reality the number of RTTs can be further reduced bystopping the inference at an earlier iteration For instance ifit is stopped at the 31st iterations the attacker would knowthat the sequence number is either X or X+1 Similarlyif the number of iterations is 22 the attacker knows thatthe sequence number is within [X X+1024) In many casesthis is sufficient because the attacker can still inject a singlepacket with payload of 1460 bytes and pad the first 1024bytes with whitespace (which effectively leaves 436 bytes ofeffective payload) For instance if the application-layer pro-tocol is HTTP the whitespace is safely ignored even if theyhappen to be accepted as part of the HTTP response

0 4G

(a) First iteration

(b) Second iteration

2G

1

Bin 1Counter++

0

of packets

of packets

Bin 2Counter += 0

1G 2G

1

Bin 1Counter++

Bin 2Counter += 0

Figure 4 Sequence number inference illustration using theDelayedACKLost packet counter (binary search)

N-way search To further improve the inference speedwe devise a variation of the ldquoN-way searchrdquo proposed in therecent work [26] The idea is similar mdash instead of eliminatinghalf of the sequence number space each iteration we caneliminate Nminus1

Nof the search space by simultaneously probing

N-1 of N equally-partitioned bins The difference is thatthe inference requires one or two orders of magnitude fewerpackets compared to the previously proposed search

Figure 5 illustrates the process of a 4-way search In thefirst iteration the search space is equally partitioned into4 bins The attacker sends one packet with sequence num-ber 1G three packets with sequence number 2G and twopackets with sequence number 3G If the expected sequencenumber falls in the first bin the DelayedACKLost counterincrements by 2 as the two packets sent with sequence num-ber 3G are considered before the expected sequence numberSimilarly the counter increments by a different number fordifferent bins In general as long as the number of packetssent for each bin follow the distance between two consecu-tive marks on a circularmodular Golomb ruler [3] the De-layedACKLost counter increment will be unique when theexpected sequence number falls in different bins

In the later iterations however a much simpler strategycan be used In Figure 5(b) an attacker can just send onepacket per bin instead of following the circular Golomb rulerThe reason is that now that the search space is reduced to

smaller than 2G it is no longer circular (unlike the firstiteration where the counter increment in the first bin can beimpacted by the fourth bin) Now if the sequence numberfalls in the first bin then the counter remains the same ifit falls in the second bin the counter will increment 1 andso on We discuss the realistic settings and performance ofdifferent ldquoNrdquo in sect37

0 4G

(a) First iteration

(b) A later iteration

2G1G 3G

1 3 2

Bin 1Counter += 2

0 250M

1

of packets

of packets

Bin 2Counter += 1

Bin 3Counter += 4

Bin 4Counter += 5

500M 750M 1G

1 1

Bin 1Counter += 0

Bin 2Counter += 1

Bin 3Counter += 2

Bin 4Counter += 3

Figure 5 Sequence number inference illustration using theDelayedACKLost packet counter (four-way search)

Client-side sequence number inference Sometimesit is necessary to infer the client-side sequence number forthe purpose of either injecting data to the victim serveror injecting data to the victim client with an appropri-ate ACK number The latter is currently unnecessary asLinuxAndroid and BSDMac OS allows half of the ACKnumber space to be valid [26] For the former we can stilluse the same DelayedACKLost counter to infer the ACKnumber

Specifically as discussed in sect33 the only ending sequencenumber that can satisfy the retransmission check is the oneequal to the next expected sequence number When thathappens the TCP stack increments the DelayedACKLostpacket counter again The source code of the retransmissioncheck is shown in Figure 6

Since the retransmission check is after the ACK num-ber check it allows an attacker to send a non-zero payloadpacket that has the ending sequence number equal to thenext expected sequence number with a guessed ACK num-ber If it does not pass the ACK number check the packetis dropped and the DelayedACKLost counter does not incre-ment Otherwise the packet is considered a retransmittedpacket and triggers the counter to increment Based on suchbehavior we can perform a binary search or N-way searchon the ACK number similar to the sequence number searchIn fact the procedure is mostly identical

if (after(TCP_SKB_CB(skb)-gtend_seq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)

hellip

Figure 6 Retransmission check source code snippet fromtcp data queue() in Linux

35 Sequence-Number-Dependent Countersin BSDMac OS

Inspired by the newly discovered counter in Linux wefurther conduct a survey on the latest FreeBSD source code

(version 10) Surprisingly we find that at least four pairsof packet counters can leak TCP sequence number Thecounters are confirmed to exist in Mac OS as well This find-ing shows that the sequence-number-dependent counters arewidely available and apparently considered safe to include inthe OS They are 1) rcvduppack and rcvdupbyte 2) rcvpack-afterwin and rcvbyteafterwin 3) rcvoopack and rcvoobyte 4)rcvdupack and rcvacktoomuch They can be either accessedthrough the standardldquonetstat -srdquo interface or sysctl API [11]

The first three pairs can be used to infer server-side se-quence numbers Specifically based on the source code thesemantic of rcvduppack is identical to that of DelayedACK-Lost rcvdupbyte however additionally provides informa-tion on the number of bytes (payload) carried in the incom-ing packets that are considered duplicate (with an old se-quence number) This counter greatly benefits the sequencenumber inference Following the same ldquoN-wayrdquo procedurethe first iteration can be improved by changing the ldquok pack-ets sent per binrdquo to ldquoa single packet with k bytes payloadrdquoThis improvement substantially reduces the number of pack-etsbytes sent in each iteration especially when ldquoNrdquo is large(shown in sect37)

The semantic of rcvpackafterwin and rcvbyteafterwin issimilar to rcvduppack and rcvdupbyte except that the for-mer increments only when the sequence number is biggerthan (instead of smaller than) certain sequence number XIn this case X is the expected sequence number plus thereceive window size rcvbyteafterwin can be used similarlyas rcvdupbyte to conduct the sequence number inference

rcvoopack and rcvoobyte differ from the previous two pairsThey increment only when packets arrive out of order ormore precisely when the sequence number is bigger thanthe expected sequence number yet smaller than the expectedsequence number plus the receive window size Even thoughan attacker needs to send a lot more packets to infer theTCP sequence number using this counter pair at least theycan be used to replace the original noisy side-channel in thePhrack attack [1] to improve success rate

rcvdupack and rcvacktoomuch are used to determine theclient-side sequence numbers Specifically the former in-crements when the ACK number of an incoming packetis smaller than or equal to the unacknowledged number(SNDUNA) The latter increments when the ACK num-ber is greater than the sequence number of the next origi-nal transmit (SNDMAX) The comparison again follows theldquounsigned integer to signed integer conversionrdquosuch that halfof the ACK number space is considered to match the condi-tion

We currently did not combine the counters together to im-prove the inference speed However we do realize there arepotential ways to speed things up For instance the rcvdup-byte and rcvdupack allows the client-side sequence numberinference to be piggybacked with the server-side sequencenumber inference

36 Sequence-Number-Dependent Countersin Microsoft Windows

Interestingly Microsoft Windows OSes do not appear toexpose such sequence-number-dependent counters and arethus not vulnerable to the attack On Windows 7 for ex-ample the TCP-related packet counters include the totalnumber of incoming packets outgoing packets and the num-ber of packets retransmitted from the output of ldquonetstat -

srdquo These packet counters do not leak sequence numbersdirectly

37 Inference Performance and OverheadWe have implemented the sequence number inference on

both Android (which incorporates the Linux kernel) andMac OS We are interested in the tradeoffs between differentstrategies in picking ldquoNrdquo in the ldquoN-way searchrdquo

Generally as ldquoNrdquo goes up the total number of bytes sentshould also increase Since the first iteration in the ldquoN-wayrdquosearch requires sending more bytes we pick a smaller ldquoNrdquofor the first iteration and a bigger ldquoNrdquo in the later iterationsto ensure that the number of bytes sent in each round issimilar In the Linux implementation we pick the followingpairs of N (22 46 830 1284) For Mac OS we pick(22 46 3450 82228) Here 46 means that we pickN=4 for the first iteration and N=6 for the later iterations

As shown in Figure 7 we can see that the general tradeoffis that the fewer iterations an attacker wants the more byteshe needs to send in total For instance when the number ofiterations is 4 an attacker on Linux needs to send 137KBWith the presence of the rcvdupbyte counter in Mac OS itrequires to send only 84KB This is a rather low networkresource requirement because it takes only 70ms to push84KB onto the wire with even just 1Mbps bandwidth Go-ing further down to 3 iterations requires sending 2775KBfor Mac OS Depending on the available bandwidth and theRTT we may or may not want to increase the number ofbytes to save one round trip

Next we pick N=3450 (4 round trips) for Mac OS at-tacks and N=830 (5 round trips) for Linux attacks (withroughly the same resource requirement) and plot the infer-ence time measured under various conditions We controlthe RTT between the attacker and the victim in three dif-ferent settings 1) The victim is in an office environment(enterprise-like) connected to the network using WiFi andthe attacker is in the same building (the RTT is around5-10ms) 2) The victim is in a home environment and theattacker is 50ms RTT away 3) The victim is in a home envi-ronment and the attacker is 100ms RTT away In Figure 8we see that in the first setting the inference time for Androidand Mac OS are 80ms and 50ms which are low enough todirectly launch injection attacks on HTTP connections withthe guarantee that the inference finishes before the first le-gitimate response packet comes back (also discussed laterin sect42) In fact inference time between 350ms and 700mscan be short enough in certain scenarios (see sect51)

38 Noisiness of Sequence-Number-Dependent Counters

So far we have claimed that these sequence-number-dependent counters are ldquocleanrdquo side-channels that rarely in-crement naturally even with background traffic To quanti-tatively support this claim we conduct a worse-case-scenarioexperiment as follows We open a YouTube video at thebackground and browse web pages at the same time to seehow often the counters get incremented Since it is easierto do the multi-tasking on Mac OS we choose it over theAndroid platform The Android counters should incrementeven less frequently since smartphones are rarely used forvideo streaming and web browsing simultaneously

We pick the rcvdupbyte counter (which is equivalent to De-layedACKLost on Linux) and run the experiments for about

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

a more efficient probing scheme For instance we show thatit takes as little as 50ms to complete the inference two or-ders of magnitude faster than previous method It can eveneliminate the need of conducting additional TCP hijackingattacks required before resulting in a much higher attacksuccess rate (See sect51)

As a proof-of-concept demonstration we show that ourattack allows a piece of unprivileged malware on Androidsmartphones to hijack a Facebook connection replacing thelogin page or injecting malicious Javascripts to post newstatus on behalf of the victim user or performing other ac-tions All these attacks (except the TCP hijacking attack)work on the latest Linux kernel TCP hijacking requires ker-nel versions earlier than 302 which are still the case for themajority of the Android phones Besides AndroidLinux wealso demonstrate that the attack is applicable to the latestBSDMac OS We believe our work presents an importantmessage that todayrsquos systems still expose too much sharedstate with poor isolation

The rest of the paper is organized as follows sect2 thor-oughly describes the related work sect3 explains how to inferTCP sequence number (including both previous study andour discovery) sect4 covers how we can leverage the sequencenumber inference as a building block to conduct a number ofTCP attacks sect5 shows several cases studies demonstratingthe impact on specific applications sect6 discusses why theproblem occurred and concludes

2 RELATED WORKTCP sequence number inference attack By far

there are only a few reported TCP sequence number in-ference attacks The first one goes back to 1999 where aTCP stack bug causes the kernel to silently drop the thirdpacket during ldquothree-way handshakerdquo if the ACK number issmaller than the expected ACK number and sends a resetotherwise [4] This allows an attacker to send spoofed ACKpackets and infer the correct ACK number This minor bugwas quickly fixed Besides it there are three other closelyrelated studies One of them is described in the Phrackmagazine [1] that uses the IPID side channel on Windowsto infer both the server-side and the client-side TCP se-quence numbers According to our empirical results suchattack is theoretically possible but very hard to carry outIt can succeed under rather limited conditions due to a largenumber of packets required as well as the noisy side-channelthat is leveraged Following the same direction a more re-cent work [20] improves the reliability of the attack by re-quiring certain control on the client (eg javascript throughbrowser) yet it still relies on the noisy IPID side channelavailable on Windows only

A closely related recent work [26] discusses how sequence-number-checking firewall middleboxes can leak the TCP se-quence number state stored on the firewall The idea isthat if a packet has passed the sequence-number-checkingfirewall it implies that the sequence number of the packet isconsidered within a legitimate window Otherwise it impliesthat the packet has an out-of-window sequence number Asa result if an attacker can observe whether a spoofed packethas passed the firewall he will be able to know if a guessedsequence number is correct To do so an attacker can in-tentionally craft a spoofed packet with certain errors (egold timestamp) and then leverage the error packet coun-ters on the host (eg packets rejected due to old times-

tamps) to tell if a spoofed packet has passed the firewalland reached the end-host In our work we make a ma-jor improvement by eliminating the requirement of firewallmiddleboxes altogether with the help of a class of ldquosequence-number-dependentrdquo packet counters that we discover Inaddition to a more general attack model we also show sig-nificant improvements on success rate and attack speed withmuch lower network resource requirements

Other TCP-sequence-number-related attacks (1)TCP sequence number prediction attack Different fromTCP sequence number inference attack the prediction at-tack relies on the non-randomness of TCP Initial SequenceNumbers (ISN) [25 2] To defend the attack RFC1948 [7]standardizes the ISN randomization behavior such that dif-ferent connections should generate random sequence num-bers independently (2) Blind TCP RST attack Due to thefact that a connection will be reset as long as the sequencenumber of the reset (RST) packet falls in the current receivewindow in a long-lived connection (eg a BGP session) anattacker can brute force all possible target connections andsequence number ranges [8 32] to cause denial of service

Smartphone-based attacks There have been a num-ber of attacks against smartphones many of which focus onleaking sensitive information [15 16 28] In addition thereis a class of privilege escalation attacks on Android [17 1914] but they are limited to gaining permissions that typi-cally cannot affect the behavior of other applications Forinstance one application may gain the permission of readingthe contact list or GPS location through other colluding orvulnerable apps but it cannot tamper with the TCP connec-tion of other applications given the OSrsquos sandboxing mecha-nisms Our study demonstrates that injection and hijackingof TCP connections can be achieved without requiring anyspecial permission other than the permission to access theInternet

Side-channel information leakage A wide range ofside channels have been investigated before CPU powershared memoryfiles and even electromagnetic waves etcResearchers have found that it is possible to construct vari-ous attacks eg to infer keystrokes through many side chan-nels [30 33 29 13 18] It is especially interesting to see howsmartphones can allow malware to infer sensitive informa-tion through on-board sensors (which can also be consideredas side-channels) For instance Soundcomber [28] uses theaudio sensor to record credit card numbers entered throughkeypad In our work we also rely on side-channels on thehost but the attacks infer information at the network-layer

3 TCP SEQUENCE NUMBER INFER-ENCE ATTACK

The ultimate goal of the attack is to inject malicious TCPpayload into apps running on a victim smartphone or clientdevice It is achieved by a piece of unprivileged on-devicemalware collaborating with an off-path attacker on the In-ternet The main implication of this attack is that websitesthat do not use HTTPS will be vulnerable to various at-tacks such as phishing and Javascript injection because theHTTP response can be potentially replaced Even if HTTPSis used they are still vulnerable to connection reset attacksas we show that the sequence number can be quickly inferredin under a second

1

(Y Y + WIN)

Probing

Packets

2 Feedback

Figure 1 Threat model

31 Threat ModelThe threat model is illustrated in Figure 1 There are

four main entities (1) The victim smartphone and a targetapplication constituting the attack target (2) The legiti-mate server which talks to the victim smartphone using anunencrypted application-layer protocol (eg HTTP) Theserver can also become the attack target (see sect5) (3) Theon-device malware which is unprivileged and cannot tam-per with other apps directly (4) The off-path attacker whois capable of spoofing the IP address of the legitimate serverand the victim smartphone The off-path attacker and themalware collaborate to infer the correct TCP sequence num-ber of the connection established between the target app andthe legitimate server Note that different from the threatmodel described in the recent study [26] this attack doesnot require the network firewall middlebox making our at-tack model much more general

At a high level as shown in Figure 1 the off-path at-tacker needs two pieces of information (1) the four tuplesof a target connection ie sourcedestination IP addressesand sourcedestination port numbers and (2) the correct se-quence number The on-device malware can easily identifythe current active connections (eg through netstat) butit does not know the sequence number in use In this at-tack model the off-path attacker can send probe packetsusing the target four tuples with different guessed sequencenumbers The unprivileged malware then uses certain side-channels to provide feedback on whether the guessed se-quence numbers are correct Guided by the feedback theoff-path attacker can then adjust the sequence numbers tonarrow down the correct sequence number

32 Packet Counter Side ChannelsIn this study we look at a particular type of side chan-

nel packet counters that can potentially provide indirectfeedback on whether a guessed sequence number is correctIn Linux the procfs [24] exposes aggregated statistics onthe number of incomingoutgoing TCP packets with certainproperties (eg wrong checksums) Alternatively ldquonetstat-srdquo exposes a similar set of information on all major OSesincluding Microsoft Windows Linux BSD Mac OS andsmartphone OSes like Android and iOS Since such coun-ters are aggregated over the entire system they are gener-ally considered safe and thus accessible to any user or pro-gram without requiring special permissions The IPID side-channel [27] can be considered as a special form of packetcounter that records the total number of outgoing packetssince it is incremented for every outgoing packet Howeversuch side-channel is nowadays only available on MicrosoftWindows and is typically very noisy

Even though it is generally perceived safe we show thatan attacker can correlate the packet counter update with

how the TCP stack treats a spoofed probing packet witha guessed sequence number Different from the recentwork [26] that uses certain ldquoerror countersrdquo as an indica-tion of whether a spoofed packet has passed the sequence-number-checking firewall middlebox our hypothesis is thatthe TCP stack may increment certain counters when theguessed sequence number is wrong and remain the samewhen it is correct or vice versa Such counters can directlyleak sequence numbers without the help of the firewall mid-dlebox and are thus named ldquosequence-number-dependentcountersrdquo (details in sect34 and sect35) To investigate such apossibility we first need to understand how TCP stack han-dles an incoming TCP packet and how various counters areincremented during the process

33 TCP Incoming Packet ValidationIn this section we provide background on how a standard

TCP stack validates an incoming packet that belongs to anestablished TCP connection Specifically we use the sourcecode of the latest Linux kernel 326 (at the time of writing)as reference to extract the steps taken and checks performedon an incoming packet (the packet validation logic is sta-ble since 2628) Based on the source code we summarizeldquosequence-number-dependentrdquo side-channels on Linux andextend it to BSDMac OS

Error check

Sequence number

check

Ack number

check

0-payload check

In-window

Valid

Pass

Fail

Out-of-window

Invalid

0-payload

Payload gt= 1

Error

counter++

tcp_send_dupack()

Drop

Ignore

Accept

Retransmission

check

Not retransmission

RetransmissionImmediate

ACK

Figure 2 Incoming packet validation logic

As we can see in Figure 2 there exist five main checksperformed by Linux TCP stack based on the correspondingsource code as well as our controlled experiments Thesechecks are performed for any incoming TCP packet that isdeemed to belong to an established connection based on thefour tuples

(1) Error check is for the purpose of dropping invalidpackets early on There are a number of specific error checks1) MD5 option check 2) timestamp option check 3) packetlength and checksum check Each has a corresponding errorpacket counter If a specific error is caught the correspond-ing host packet counter is incremented and the packet is notinspected further Otherwise it goes to the next step

(2) Sequence number check is the most relevant checkIt basically checks if a packet is in window by making surethat the ending sequence number of the incoming packet islarger than or equal to X and the starting sequence number

is smaller than or equal to X+rcv win where X is the nextexpected sequence number and rcv win is the current re-ceive window size If the sequence number is out of windowit triggers an immediate duplicate acknowledgment packetto be sent back indicating the correct sequence number thatit is expecting Otherwise the next check is conducted

(3) Acknowledge number check is an additional validitycheck on the packet A valid ACK number should theoreti-cally be within [Y Y+outstanding bytes] to be consideredvalid Here Y is the first unacknowledged sequence num-ber and outstanding bytes is total number of outstandingbytes not yet acknowledged Linux has a relaxed implemen-tation which allows half of the ACK number space to beconsidered valid (we discuss its impact later) If the ACKnumber is considered invalid then it is dropped withoutfurther processing Else the packet goes through the laternon-validity-related checks

(4) At this point the packet has the correct sequencenumber and the ACK number The stack needs to check if ithas any payload If it does not have any payload the packetis silently ignored unless there happens to be pending datathat can be piggybacked In particular the host cannot sendanother 0-payload acknowledgment packet for the 0-payloadincoming ACK packet which will create endless TCP ACKstorm [23]

(5) If the packet has non-zero payload the final check isto detect retransmission by checking if the ending sequencenumber of the packet is smaller than or equal to the nextexpected sequence number If so it does not process thepacket further and immediately sends an ACK packet to in-form the other end of the expected sequence number Sincestep 2 has already ensured that the ending sequence numbercannot be smaller than the next expected sequence numberthe only possible ending sequence number that can satisfythe retransmission check is the one equal to the next ex-pected sequence number

From the above description on how a TCP packet is han-dled it is not hard to tell that depending on whether thesequence number is in or out of window the TCP stack maybehave differently which can be observed by the on-devicemalware Specifically if it is an out-of-window packet with0-payload it most likely will not trigger any outgoing packetHowever if it is an in-window packet it immediately trig-gers an outgoing duplicate ACK packet As a result it ispossible to use the counter that records the total number ofoutgoing packets to tell if a guessed sequence number is inwindow

A similar observation has been made by the previousstudy in the Phrack magazine [1] The problem with theirapproach to infer sequence number is that such generalpacket counters can be very noisy mdash there may be back-ground traffic which can increment the system-wide outgo-ing packet counters It is especially problematic when thereceive window size is small mdash a large number of packetsneed to be sent and the probing is very likely to have limitedsuccess In fact we have implemented such sequence num-ber inference attack on a smartphone at home connectedto the broadband ISP through WiFi with 10Mbps down-link bandwidth Through 20 repeated experiments we findthat the inference always failed because of the noise of thebackground traffic

It is also worth noting that the error checks are performedat the very beginning preceding the sequence number check

which means that the corresponding error counters used bythe recent study [26] alone cannot provide any feedback ona guessed TCP sequence number

34 Sequence-Number-Dependent Counter inLinux

The reason why the Phrack attack [1] is difficult to carryout is two-fold (1) The required number of packets is toolarge an attacker needs to send at least one packet per re-ceive window in order to figure out the right sequence num-ber range (2) The counter that records the total number ofoutgoing packets is too noisy Subsequently we show thatboth problems can be addressed by using a newly discov-ered set of sequence-number-dependent packet counters thatincrement when the sequence number of an incoming packetmatches certain conditions

if (TCP_SKB_CB(skb)-gtend_seq = TCP_SKB_CB(skb)-gtseq

ampamp before(TCP_SKB_CB(skb)-gtseq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)hellip

Figure 3 tcp send dupack() source code snippet in Linux

Server-side sequence number inference We closelystudy the function tcp send dupack() which is called af-ter the sequence number check (depicted in Figure 2)Within the function we discover an interesting piece ofcode shown in Figure 3 The ldquoifrdquo condition says if thepacketrsquos starting sequence number is not equal to its end-ing sequence number (ie the packet has nonzero pay-load) and its starting sequence number is ldquobeforerdquo the ex-pected sequence number then a packet counter named De-layedACKLost is incremented (which is publicly accessiblefrom procnetnetstat) This particular logic is to detectlost delayed ACK packets sent previously and switch fromthe delayed ACK mode into the quick ACK mode [12] Thepresence of an oldretransmitted TCP packet is an indica-tion that the delayed ACKs were lost

The question is how ldquobefore()rdquo is implemented In Linux(and Mac OS) it basically subtracts an unsigned 32-bit in-teger from another unsigned 32-bit integer and converts theresult into a signed 32-bit integer This means that half ofthe sequence number space (ie 2G) is considered beforethe expected sequence number For instance two unsignedintegers 1G minus 2G would lead to an unsigned integer 3GWhen converting to an signed value we obtain -1G

The net effect of the tcp send dupack() is that it allows anattacker to easily determine if a guessed sequence numberis before or after the expected sequence number Since theDelayedACKLost counter very rarely increments naturally(See sect38) an attacker can use this counter as a clean andreliable side-channel

Binary search Using this special counter it is straight-forward to conduct a binary search on the expected sequencenumber Note that the process is significantly different thanthe one proposed in the earlier work [26] in that the earlierwork still requires sending one packet per ldquowindowrdquo whichresults in a total of thousands or tens of thousands of pack-ets Here as illustrated in Figure 4 the attacker only needsto send one packet each round and only a total of 32 packetsresulting in hardly any bandwidth requirement

Specifically as shown in the figure in the first iterationthe attacker can try the middle of the sequence number space(ie 2G) If the expected sequence number falls in the firsthalf (ie bin 1) the DelayedACKLost counter incrementsby 1 Otherwise (ie if it falls in bin 2) the counter remainsthe same Suppose the attacker finds that the expected se-quence number is in the first half after the first iteration inthe second iteration he can try 1G to further narrow downthe sequence number After log2 4G = 32 rounds (also 32packets) the exact sequence number can be pinpointed Thetotal inference time can be roughly calculated as 32timesRTT In reality the number of RTTs can be further reduced bystopping the inference at an earlier iteration For instance ifit is stopped at the 31st iterations the attacker would knowthat the sequence number is either X or X+1 Similarlyif the number of iterations is 22 the attacker knows thatthe sequence number is within [X X+1024) In many casesthis is sufficient because the attacker can still inject a singlepacket with payload of 1460 bytes and pad the first 1024bytes with whitespace (which effectively leaves 436 bytes ofeffective payload) For instance if the application-layer pro-tocol is HTTP the whitespace is safely ignored even if theyhappen to be accepted as part of the HTTP response

0 4G

(a) First iteration

(b) Second iteration

2G

1

Bin 1Counter++

0

of packets

of packets

Bin 2Counter += 0

1G 2G

1

Bin 1Counter++

Bin 2Counter += 0

Figure 4 Sequence number inference illustration using theDelayedACKLost packet counter (binary search)

N-way search To further improve the inference speedwe devise a variation of the ldquoN-way searchrdquo proposed in therecent work [26] The idea is similar mdash instead of eliminatinghalf of the sequence number space each iteration we caneliminate Nminus1

Nof the search space by simultaneously probing

N-1 of N equally-partitioned bins The difference is thatthe inference requires one or two orders of magnitude fewerpackets compared to the previously proposed search

Figure 5 illustrates the process of a 4-way search In thefirst iteration the search space is equally partitioned into4 bins The attacker sends one packet with sequence num-ber 1G three packets with sequence number 2G and twopackets with sequence number 3G If the expected sequencenumber falls in the first bin the DelayedACKLost counterincrements by 2 as the two packets sent with sequence num-ber 3G are considered before the expected sequence numberSimilarly the counter increments by a different number fordifferent bins In general as long as the number of packetssent for each bin follow the distance between two consecu-tive marks on a circularmodular Golomb ruler [3] the De-layedACKLost counter increment will be unique when theexpected sequence number falls in different bins

In the later iterations however a much simpler strategycan be used In Figure 5(b) an attacker can just send onepacket per bin instead of following the circular Golomb rulerThe reason is that now that the search space is reduced to

smaller than 2G it is no longer circular (unlike the firstiteration where the counter increment in the first bin can beimpacted by the fourth bin) Now if the sequence numberfalls in the first bin then the counter remains the same ifit falls in the second bin the counter will increment 1 andso on We discuss the realistic settings and performance ofdifferent ldquoNrdquo in sect37

0 4G

(a) First iteration

(b) A later iteration

2G1G 3G

1 3 2

Bin 1Counter += 2

0 250M

1

of packets

of packets

Bin 2Counter += 1

Bin 3Counter += 4

Bin 4Counter += 5

500M 750M 1G

1 1

Bin 1Counter += 0

Bin 2Counter += 1

Bin 3Counter += 2

Bin 4Counter += 3

Figure 5 Sequence number inference illustration using theDelayedACKLost packet counter (four-way search)

Client-side sequence number inference Sometimesit is necessary to infer the client-side sequence number forthe purpose of either injecting data to the victim serveror injecting data to the victim client with an appropri-ate ACK number The latter is currently unnecessary asLinuxAndroid and BSDMac OS allows half of the ACKnumber space to be valid [26] For the former we can stilluse the same DelayedACKLost counter to infer the ACKnumber

Specifically as discussed in sect33 the only ending sequencenumber that can satisfy the retransmission check is the oneequal to the next expected sequence number When thathappens the TCP stack increments the DelayedACKLostpacket counter again The source code of the retransmissioncheck is shown in Figure 6

Since the retransmission check is after the ACK num-ber check it allows an attacker to send a non-zero payloadpacket that has the ending sequence number equal to thenext expected sequence number with a guessed ACK num-ber If it does not pass the ACK number check the packetis dropped and the DelayedACKLost counter does not incre-ment Otherwise the packet is considered a retransmittedpacket and triggers the counter to increment Based on suchbehavior we can perform a binary search or N-way searchon the ACK number similar to the sequence number searchIn fact the procedure is mostly identical

if (after(TCP_SKB_CB(skb)-gtend_seq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)

hellip

Figure 6 Retransmission check source code snippet fromtcp data queue() in Linux

35 Sequence-Number-Dependent Countersin BSDMac OS

Inspired by the newly discovered counter in Linux wefurther conduct a survey on the latest FreeBSD source code

(version 10) Surprisingly we find that at least four pairsof packet counters can leak TCP sequence number Thecounters are confirmed to exist in Mac OS as well This find-ing shows that the sequence-number-dependent counters arewidely available and apparently considered safe to include inthe OS They are 1) rcvduppack and rcvdupbyte 2) rcvpack-afterwin and rcvbyteafterwin 3) rcvoopack and rcvoobyte 4)rcvdupack and rcvacktoomuch They can be either accessedthrough the standardldquonetstat -srdquo interface or sysctl API [11]

The first three pairs can be used to infer server-side se-quence numbers Specifically based on the source code thesemantic of rcvduppack is identical to that of DelayedACK-Lost rcvdupbyte however additionally provides informa-tion on the number of bytes (payload) carried in the incom-ing packets that are considered duplicate (with an old se-quence number) This counter greatly benefits the sequencenumber inference Following the same ldquoN-wayrdquo procedurethe first iteration can be improved by changing the ldquok pack-ets sent per binrdquo to ldquoa single packet with k bytes payloadrdquoThis improvement substantially reduces the number of pack-etsbytes sent in each iteration especially when ldquoNrdquo is large(shown in sect37)

The semantic of rcvpackafterwin and rcvbyteafterwin issimilar to rcvduppack and rcvdupbyte except that the for-mer increments only when the sequence number is biggerthan (instead of smaller than) certain sequence number XIn this case X is the expected sequence number plus thereceive window size rcvbyteafterwin can be used similarlyas rcvdupbyte to conduct the sequence number inference

rcvoopack and rcvoobyte differ from the previous two pairsThey increment only when packets arrive out of order ormore precisely when the sequence number is bigger thanthe expected sequence number yet smaller than the expectedsequence number plus the receive window size Even thoughan attacker needs to send a lot more packets to infer theTCP sequence number using this counter pair at least theycan be used to replace the original noisy side-channel in thePhrack attack [1] to improve success rate

rcvdupack and rcvacktoomuch are used to determine theclient-side sequence numbers Specifically the former in-crements when the ACK number of an incoming packetis smaller than or equal to the unacknowledged number(SNDUNA) The latter increments when the ACK num-ber is greater than the sequence number of the next origi-nal transmit (SNDMAX) The comparison again follows theldquounsigned integer to signed integer conversionrdquosuch that halfof the ACK number space is considered to match the condi-tion

We currently did not combine the counters together to im-prove the inference speed However we do realize there arepotential ways to speed things up For instance the rcvdup-byte and rcvdupack allows the client-side sequence numberinference to be piggybacked with the server-side sequencenumber inference

36 Sequence-Number-Dependent Countersin Microsoft Windows

Interestingly Microsoft Windows OSes do not appear toexpose such sequence-number-dependent counters and arethus not vulnerable to the attack On Windows 7 for ex-ample the TCP-related packet counters include the totalnumber of incoming packets outgoing packets and the num-ber of packets retransmitted from the output of ldquonetstat -

srdquo These packet counters do not leak sequence numbersdirectly

37 Inference Performance and OverheadWe have implemented the sequence number inference on

both Android (which incorporates the Linux kernel) andMac OS We are interested in the tradeoffs between differentstrategies in picking ldquoNrdquo in the ldquoN-way searchrdquo

Generally as ldquoNrdquo goes up the total number of bytes sentshould also increase Since the first iteration in the ldquoN-wayrdquosearch requires sending more bytes we pick a smaller ldquoNrdquofor the first iteration and a bigger ldquoNrdquo in the later iterationsto ensure that the number of bytes sent in each round issimilar In the Linux implementation we pick the followingpairs of N (22 46 830 1284) For Mac OS we pick(22 46 3450 82228) Here 46 means that we pickN=4 for the first iteration and N=6 for the later iterations

As shown in Figure 7 we can see that the general tradeoffis that the fewer iterations an attacker wants the more byteshe needs to send in total For instance when the number ofiterations is 4 an attacker on Linux needs to send 137KBWith the presence of the rcvdupbyte counter in Mac OS itrequires to send only 84KB This is a rather low networkresource requirement because it takes only 70ms to push84KB onto the wire with even just 1Mbps bandwidth Go-ing further down to 3 iterations requires sending 2775KBfor Mac OS Depending on the available bandwidth and theRTT we may or may not want to increase the number ofbytes to save one round trip

Next we pick N=3450 (4 round trips) for Mac OS at-tacks and N=830 (5 round trips) for Linux attacks (withroughly the same resource requirement) and plot the infer-ence time measured under various conditions We controlthe RTT between the attacker and the victim in three dif-ferent settings 1) The victim is in an office environment(enterprise-like) connected to the network using WiFi andthe attacker is in the same building (the RTT is around5-10ms) 2) The victim is in a home environment and theattacker is 50ms RTT away 3) The victim is in a home envi-ronment and the attacker is 100ms RTT away In Figure 8we see that in the first setting the inference time for Androidand Mac OS are 80ms and 50ms which are low enough todirectly launch injection attacks on HTTP connections withthe guarantee that the inference finishes before the first le-gitimate response packet comes back (also discussed laterin sect42) In fact inference time between 350ms and 700mscan be short enough in certain scenarios (see sect51)

38 Noisiness of Sequence-Number-Dependent Counters

So far we have claimed that these sequence-number-dependent counters are ldquocleanrdquo side-channels that rarely in-crement naturally even with background traffic To quanti-tatively support this claim we conduct a worse-case-scenarioexperiment as follows We open a YouTube video at thebackground and browse web pages at the same time to seehow often the counters get incremented Since it is easierto do the multi-tasking on Mac OS we choose it over theAndroid platform The Android counters should incrementeven less frequently since smartphones are rarely used forvideo streaming and web browsing simultaneously

We pick the rcvdupbyte counter (which is equivalent to De-layedACKLost on Linux) and run the experiments for about

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

1

(Y Y + WIN)

Probing

Packets

2 Feedback

Figure 1 Threat model

31 Threat ModelThe threat model is illustrated in Figure 1 There are

four main entities (1) The victim smartphone and a targetapplication constituting the attack target (2) The legiti-mate server which talks to the victim smartphone using anunencrypted application-layer protocol (eg HTTP) Theserver can also become the attack target (see sect5) (3) Theon-device malware which is unprivileged and cannot tam-per with other apps directly (4) The off-path attacker whois capable of spoofing the IP address of the legitimate serverand the victim smartphone The off-path attacker and themalware collaborate to infer the correct TCP sequence num-ber of the connection established between the target app andthe legitimate server Note that different from the threatmodel described in the recent study [26] this attack doesnot require the network firewall middlebox making our at-tack model much more general

At a high level as shown in Figure 1 the off-path at-tacker needs two pieces of information (1) the four tuplesof a target connection ie sourcedestination IP addressesand sourcedestination port numbers and (2) the correct se-quence number The on-device malware can easily identifythe current active connections (eg through netstat) butit does not know the sequence number in use In this at-tack model the off-path attacker can send probe packetsusing the target four tuples with different guessed sequencenumbers The unprivileged malware then uses certain side-channels to provide feedback on whether the guessed se-quence numbers are correct Guided by the feedback theoff-path attacker can then adjust the sequence numbers tonarrow down the correct sequence number

32 Packet Counter Side ChannelsIn this study we look at a particular type of side chan-

nel packet counters that can potentially provide indirectfeedback on whether a guessed sequence number is correctIn Linux the procfs [24] exposes aggregated statistics onthe number of incomingoutgoing TCP packets with certainproperties (eg wrong checksums) Alternatively ldquonetstat-srdquo exposes a similar set of information on all major OSesincluding Microsoft Windows Linux BSD Mac OS andsmartphone OSes like Android and iOS Since such coun-ters are aggregated over the entire system they are gener-ally considered safe and thus accessible to any user or pro-gram without requiring special permissions The IPID side-channel [27] can be considered as a special form of packetcounter that records the total number of outgoing packetssince it is incremented for every outgoing packet Howeversuch side-channel is nowadays only available on MicrosoftWindows and is typically very noisy

Even though it is generally perceived safe we show thatan attacker can correlate the packet counter update with

how the TCP stack treats a spoofed probing packet witha guessed sequence number Different from the recentwork [26] that uses certain ldquoerror countersrdquo as an indica-tion of whether a spoofed packet has passed the sequence-number-checking firewall middlebox our hypothesis is thatthe TCP stack may increment certain counters when theguessed sequence number is wrong and remain the samewhen it is correct or vice versa Such counters can directlyleak sequence numbers without the help of the firewall mid-dlebox and are thus named ldquosequence-number-dependentcountersrdquo (details in sect34 and sect35) To investigate such apossibility we first need to understand how TCP stack han-dles an incoming TCP packet and how various counters areincremented during the process

33 TCP Incoming Packet ValidationIn this section we provide background on how a standard

TCP stack validates an incoming packet that belongs to anestablished TCP connection Specifically we use the sourcecode of the latest Linux kernel 326 (at the time of writing)as reference to extract the steps taken and checks performedon an incoming packet (the packet validation logic is sta-ble since 2628) Based on the source code we summarizeldquosequence-number-dependentrdquo side-channels on Linux andextend it to BSDMac OS

Error check

Sequence number

check

Ack number

check

0-payload check

In-window

Valid

Pass

Fail

Out-of-window

Invalid

0-payload

Payload gt= 1

Error

counter++

tcp_send_dupack()

Drop

Ignore

Accept

Retransmission

check

Not retransmission

RetransmissionImmediate

ACK

Figure 2 Incoming packet validation logic

As we can see in Figure 2 there exist five main checksperformed by Linux TCP stack based on the correspondingsource code as well as our controlled experiments Thesechecks are performed for any incoming TCP packet that isdeemed to belong to an established connection based on thefour tuples

(1) Error check is for the purpose of dropping invalidpackets early on There are a number of specific error checks1) MD5 option check 2) timestamp option check 3) packetlength and checksum check Each has a corresponding errorpacket counter If a specific error is caught the correspond-ing host packet counter is incremented and the packet is notinspected further Otherwise it goes to the next step

(2) Sequence number check is the most relevant checkIt basically checks if a packet is in window by making surethat the ending sequence number of the incoming packet islarger than or equal to X and the starting sequence number

is smaller than or equal to X+rcv win where X is the nextexpected sequence number and rcv win is the current re-ceive window size If the sequence number is out of windowit triggers an immediate duplicate acknowledgment packetto be sent back indicating the correct sequence number thatit is expecting Otherwise the next check is conducted

(3) Acknowledge number check is an additional validitycheck on the packet A valid ACK number should theoreti-cally be within [Y Y+outstanding bytes] to be consideredvalid Here Y is the first unacknowledged sequence num-ber and outstanding bytes is total number of outstandingbytes not yet acknowledged Linux has a relaxed implemen-tation which allows half of the ACK number space to beconsidered valid (we discuss its impact later) If the ACKnumber is considered invalid then it is dropped withoutfurther processing Else the packet goes through the laternon-validity-related checks

(4) At this point the packet has the correct sequencenumber and the ACK number The stack needs to check if ithas any payload If it does not have any payload the packetis silently ignored unless there happens to be pending datathat can be piggybacked In particular the host cannot sendanother 0-payload acknowledgment packet for the 0-payloadincoming ACK packet which will create endless TCP ACKstorm [23]

(5) If the packet has non-zero payload the final check isto detect retransmission by checking if the ending sequencenumber of the packet is smaller than or equal to the nextexpected sequence number If so it does not process thepacket further and immediately sends an ACK packet to in-form the other end of the expected sequence number Sincestep 2 has already ensured that the ending sequence numbercannot be smaller than the next expected sequence numberthe only possible ending sequence number that can satisfythe retransmission check is the one equal to the next ex-pected sequence number

From the above description on how a TCP packet is han-dled it is not hard to tell that depending on whether thesequence number is in or out of window the TCP stack maybehave differently which can be observed by the on-devicemalware Specifically if it is an out-of-window packet with0-payload it most likely will not trigger any outgoing packetHowever if it is an in-window packet it immediately trig-gers an outgoing duplicate ACK packet As a result it ispossible to use the counter that records the total number ofoutgoing packets to tell if a guessed sequence number is inwindow

A similar observation has been made by the previousstudy in the Phrack magazine [1] The problem with theirapproach to infer sequence number is that such generalpacket counters can be very noisy mdash there may be back-ground traffic which can increment the system-wide outgo-ing packet counters It is especially problematic when thereceive window size is small mdash a large number of packetsneed to be sent and the probing is very likely to have limitedsuccess In fact we have implemented such sequence num-ber inference attack on a smartphone at home connectedto the broadband ISP through WiFi with 10Mbps down-link bandwidth Through 20 repeated experiments we findthat the inference always failed because of the noise of thebackground traffic

It is also worth noting that the error checks are performedat the very beginning preceding the sequence number check

which means that the corresponding error counters used bythe recent study [26] alone cannot provide any feedback ona guessed TCP sequence number

34 Sequence-Number-Dependent Counter inLinux

The reason why the Phrack attack [1] is difficult to carryout is two-fold (1) The required number of packets is toolarge an attacker needs to send at least one packet per re-ceive window in order to figure out the right sequence num-ber range (2) The counter that records the total number ofoutgoing packets is too noisy Subsequently we show thatboth problems can be addressed by using a newly discov-ered set of sequence-number-dependent packet counters thatincrement when the sequence number of an incoming packetmatches certain conditions

if (TCP_SKB_CB(skb)-gtend_seq = TCP_SKB_CB(skb)-gtseq

ampamp before(TCP_SKB_CB(skb)-gtseq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)hellip

Figure 3 tcp send dupack() source code snippet in Linux

Server-side sequence number inference We closelystudy the function tcp send dupack() which is called af-ter the sequence number check (depicted in Figure 2)Within the function we discover an interesting piece ofcode shown in Figure 3 The ldquoifrdquo condition says if thepacketrsquos starting sequence number is not equal to its end-ing sequence number (ie the packet has nonzero pay-load) and its starting sequence number is ldquobeforerdquo the ex-pected sequence number then a packet counter named De-layedACKLost is incremented (which is publicly accessiblefrom procnetnetstat) This particular logic is to detectlost delayed ACK packets sent previously and switch fromthe delayed ACK mode into the quick ACK mode [12] Thepresence of an oldretransmitted TCP packet is an indica-tion that the delayed ACKs were lost

The question is how ldquobefore()rdquo is implemented In Linux(and Mac OS) it basically subtracts an unsigned 32-bit in-teger from another unsigned 32-bit integer and converts theresult into a signed 32-bit integer This means that half ofthe sequence number space (ie 2G) is considered beforethe expected sequence number For instance two unsignedintegers 1G minus 2G would lead to an unsigned integer 3GWhen converting to an signed value we obtain -1G

The net effect of the tcp send dupack() is that it allows anattacker to easily determine if a guessed sequence numberis before or after the expected sequence number Since theDelayedACKLost counter very rarely increments naturally(See sect38) an attacker can use this counter as a clean andreliable side-channel

Binary search Using this special counter it is straight-forward to conduct a binary search on the expected sequencenumber Note that the process is significantly different thanthe one proposed in the earlier work [26] in that the earlierwork still requires sending one packet per ldquowindowrdquo whichresults in a total of thousands or tens of thousands of pack-ets Here as illustrated in Figure 4 the attacker only needsto send one packet each round and only a total of 32 packetsresulting in hardly any bandwidth requirement

Specifically as shown in the figure in the first iterationthe attacker can try the middle of the sequence number space(ie 2G) If the expected sequence number falls in the firsthalf (ie bin 1) the DelayedACKLost counter incrementsby 1 Otherwise (ie if it falls in bin 2) the counter remainsthe same Suppose the attacker finds that the expected se-quence number is in the first half after the first iteration inthe second iteration he can try 1G to further narrow downthe sequence number After log2 4G = 32 rounds (also 32packets) the exact sequence number can be pinpointed Thetotal inference time can be roughly calculated as 32timesRTT In reality the number of RTTs can be further reduced bystopping the inference at an earlier iteration For instance ifit is stopped at the 31st iterations the attacker would knowthat the sequence number is either X or X+1 Similarlyif the number of iterations is 22 the attacker knows thatthe sequence number is within [X X+1024) In many casesthis is sufficient because the attacker can still inject a singlepacket with payload of 1460 bytes and pad the first 1024bytes with whitespace (which effectively leaves 436 bytes ofeffective payload) For instance if the application-layer pro-tocol is HTTP the whitespace is safely ignored even if theyhappen to be accepted as part of the HTTP response

0 4G

(a) First iteration

(b) Second iteration

2G

1

Bin 1Counter++

0

of packets

of packets

Bin 2Counter += 0

1G 2G

1

Bin 1Counter++

Bin 2Counter += 0

Figure 4 Sequence number inference illustration using theDelayedACKLost packet counter (binary search)

N-way search To further improve the inference speedwe devise a variation of the ldquoN-way searchrdquo proposed in therecent work [26] The idea is similar mdash instead of eliminatinghalf of the sequence number space each iteration we caneliminate Nminus1

Nof the search space by simultaneously probing

N-1 of N equally-partitioned bins The difference is thatthe inference requires one or two orders of magnitude fewerpackets compared to the previously proposed search

Figure 5 illustrates the process of a 4-way search In thefirst iteration the search space is equally partitioned into4 bins The attacker sends one packet with sequence num-ber 1G three packets with sequence number 2G and twopackets with sequence number 3G If the expected sequencenumber falls in the first bin the DelayedACKLost counterincrements by 2 as the two packets sent with sequence num-ber 3G are considered before the expected sequence numberSimilarly the counter increments by a different number fordifferent bins In general as long as the number of packetssent for each bin follow the distance between two consecu-tive marks on a circularmodular Golomb ruler [3] the De-layedACKLost counter increment will be unique when theexpected sequence number falls in different bins

In the later iterations however a much simpler strategycan be used In Figure 5(b) an attacker can just send onepacket per bin instead of following the circular Golomb rulerThe reason is that now that the search space is reduced to

smaller than 2G it is no longer circular (unlike the firstiteration where the counter increment in the first bin can beimpacted by the fourth bin) Now if the sequence numberfalls in the first bin then the counter remains the same ifit falls in the second bin the counter will increment 1 andso on We discuss the realistic settings and performance ofdifferent ldquoNrdquo in sect37

0 4G

(a) First iteration

(b) A later iteration

2G1G 3G

1 3 2

Bin 1Counter += 2

0 250M

1

of packets

of packets

Bin 2Counter += 1

Bin 3Counter += 4

Bin 4Counter += 5

500M 750M 1G

1 1

Bin 1Counter += 0

Bin 2Counter += 1

Bin 3Counter += 2

Bin 4Counter += 3

Figure 5 Sequence number inference illustration using theDelayedACKLost packet counter (four-way search)

Client-side sequence number inference Sometimesit is necessary to infer the client-side sequence number forthe purpose of either injecting data to the victim serveror injecting data to the victim client with an appropri-ate ACK number The latter is currently unnecessary asLinuxAndroid and BSDMac OS allows half of the ACKnumber space to be valid [26] For the former we can stilluse the same DelayedACKLost counter to infer the ACKnumber

Specifically as discussed in sect33 the only ending sequencenumber that can satisfy the retransmission check is the oneequal to the next expected sequence number When thathappens the TCP stack increments the DelayedACKLostpacket counter again The source code of the retransmissioncheck is shown in Figure 6

Since the retransmission check is after the ACK num-ber check it allows an attacker to send a non-zero payloadpacket that has the ending sequence number equal to thenext expected sequence number with a guessed ACK num-ber If it does not pass the ACK number check the packetis dropped and the DelayedACKLost counter does not incre-ment Otherwise the packet is considered a retransmittedpacket and triggers the counter to increment Based on suchbehavior we can perform a binary search or N-way searchon the ACK number similar to the sequence number searchIn fact the procedure is mostly identical

if (after(TCP_SKB_CB(skb)-gtend_seq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)

hellip

Figure 6 Retransmission check source code snippet fromtcp data queue() in Linux

35 Sequence-Number-Dependent Countersin BSDMac OS

Inspired by the newly discovered counter in Linux wefurther conduct a survey on the latest FreeBSD source code

(version 10) Surprisingly we find that at least four pairsof packet counters can leak TCP sequence number Thecounters are confirmed to exist in Mac OS as well This find-ing shows that the sequence-number-dependent counters arewidely available and apparently considered safe to include inthe OS They are 1) rcvduppack and rcvdupbyte 2) rcvpack-afterwin and rcvbyteafterwin 3) rcvoopack and rcvoobyte 4)rcvdupack and rcvacktoomuch They can be either accessedthrough the standardldquonetstat -srdquo interface or sysctl API [11]

The first three pairs can be used to infer server-side se-quence numbers Specifically based on the source code thesemantic of rcvduppack is identical to that of DelayedACK-Lost rcvdupbyte however additionally provides informa-tion on the number of bytes (payload) carried in the incom-ing packets that are considered duplicate (with an old se-quence number) This counter greatly benefits the sequencenumber inference Following the same ldquoN-wayrdquo procedurethe first iteration can be improved by changing the ldquok pack-ets sent per binrdquo to ldquoa single packet with k bytes payloadrdquoThis improvement substantially reduces the number of pack-etsbytes sent in each iteration especially when ldquoNrdquo is large(shown in sect37)

The semantic of rcvpackafterwin and rcvbyteafterwin issimilar to rcvduppack and rcvdupbyte except that the for-mer increments only when the sequence number is biggerthan (instead of smaller than) certain sequence number XIn this case X is the expected sequence number plus thereceive window size rcvbyteafterwin can be used similarlyas rcvdupbyte to conduct the sequence number inference

rcvoopack and rcvoobyte differ from the previous two pairsThey increment only when packets arrive out of order ormore precisely when the sequence number is bigger thanthe expected sequence number yet smaller than the expectedsequence number plus the receive window size Even thoughan attacker needs to send a lot more packets to infer theTCP sequence number using this counter pair at least theycan be used to replace the original noisy side-channel in thePhrack attack [1] to improve success rate

rcvdupack and rcvacktoomuch are used to determine theclient-side sequence numbers Specifically the former in-crements when the ACK number of an incoming packetis smaller than or equal to the unacknowledged number(SNDUNA) The latter increments when the ACK num-ber is greater than the sequence number of the next origi-nal transmit (SNDMAX) The comparison again follows theldquounsigned integer to signed integer conversionrdquosuch that halfof the ACK number space is considered to match the condi-tion

We currently did not combine the counters together to im-prove the inference speed However we do realize there arepotential ways to speed things up For instance the rcvdup-byte and rcvdupack allows the client-side sequence numberinference to be piggybacked with the server-side sequencenumber inference

36 Sequence-Number-Dependent Countersin Microsoft Windows

Interestingly Microsoft Windows OSes do not appear toexpose such sequence-number-dependent counters and arethus not vulnerable to the attack On Windows 7 for ex-ample the TCP-related packet counters include the totalnumber of incoming packets outgoing packets and the num-ber of packets retransmitted from the output of ldquonetstat -

srdquo These packet counters do not leak sequence numbersdirectly

37 Inference Performance and OverheadWe have implemented the sequence number inference on

both Android (which incorporates the Linux kernel) andMac OS We are interested in the tradeoffs between differentstrategies in picking ldquoNrdquo in the ldquoN-way searchrdquo

Generally as ldquoNrdquo goes up the total number of bytes sentshould also increase Since the first iteration in the ldquoN-wayrdquosearch requires sending more bytes we pick a smaller ldquoNrdquofor the first iteration and a bigger ldquoNrdquo in the later iterationsto ensure that the number of bytes sent in each round issimilar In the Linux implementation we pick the followingpairs of N (22 46 830 1284) For Mac OS we pick(22 46 3450 82228) Here 46 means that we pickN=4 for the first iteration and N=6 for the later iterations

As shown in Figure 7 we can see that the general tradeoffis that the fewer iterations an attacker wants the more byteshe needs to send in total For instance when the number ofiterations is 4 an attacker on Linux needs to send 137KBWith the presence of the rcvdupbyte counter in Mac OS itrequires to send only 84KB This is a rather low networkresource requirement because it takes only 70ms to push84KB onto the wire with even just 1Mbps bandwidth Go-ing further down to 3 iterations requires sending 2775KBfor Mac OS Depending on the available bandwidth and theRTT we may or may not want to increase the number ofbytes to save one round trip

Next we pick N=3450 (4 round trips) for Mac OS at-tacks and N=830 (5 round trips) for Linux attacks (withroughly the same resource requirement) and plot the infer-ence time measured under various conditions We controlthe RTT between the attacker and the victim in three dif-ferent settings 1) The victim is in an office environment(enterprise-like) connected to the network using WiFi andthe attacker is in the same building (the RTT is around5-10ms) 2) The victim is in a home environment and theattacker is 50ms RTT away 3) The victim is in a home envi-ronment and the attacker is 100ms RTT away In Figure 8we see that in the first setting the inference time for Androidand Mac OS are 80ms and 50ms which are low enough todirectly launch injection attacks on HTTP connections withthe guarantee that the inference finishes before the first le-gitimate response packet comes back (also discussed laterin sect42) In fact inference time between 350ms and 700mscan be short enough in certain scenarios (see sect51)

38 Noisiness of Sequence-Number-Dependent Counters

So far we have claimed that these sequence-number-dependent counters are ldquocleanrdquo side-channels that rarely in-crement naturally even with background traffic To quanti-tatively support this claim we conduct a worse-case-scenarioexperiment as follows We open a YouTube video at thebackground and browse web pages at the same time to seehow often the counters get incremented Since it is easierto do the multi-tasking on Mac OS we choose it over theAndroid platform The Android counters should incrementeven less frequently since smartphones are rarely used forvideo streaming and web browsing simultaneously

We pick the rcvdupbyte counter (which is equivalent to De-layedACKLost on Linux) and run the experiments for about

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

is smaller than or equal to X+rcv win where X is the nextexpected sequence number and rcv win is the current re-ceive window size If the sequence number is out of windowit triggers an immediate duplicate acknowledgment packetto be sent back indicating the correct sequence number thatit is expecting Otherwise the next check is conducted

(3) Acknowledge number check is an additional validitycheck on the packet A valid ACK number should theoreti-cally be within [Y Y+outstanding bytes] to be consideredvalid Here Y is the first unacknowledged sequence num-ber and outstanding bytes is total number of outstandingbytes not yet acknowledged Linux has a relaxed implemen-tation which allows half of the ACK number space to beconsidered valid (we discuss its impact later) If the ACKnumber is considered invalid then it is dropped withoutfurther processing Else the packet goes through the laternon-validity-related checks

(4) At this point the packet has the correct sequencenumber and the ACK number The stack needs to check if ithas any payload If it does not have any payload the packetis silently ignored unless there happens to be pending datathat can be piggybacked In particular the host cannot sendanother 0-payload acknowledgment packet for the 0-payloadincoming ACK packet which will create endless TCP ACKstorm [23]

(5) If the packet has non-zero payload the final check isto detect retransmission by checking if the ending sequencenumber of the packet is smaller than or equal to the nextexpected sequence number If so it does not process thepacket further and immediately sends an ACK packet to in-form the other end of the expected sequence number Sincestep 2 has already ensured that the ending sequence numbercannot be smaller than the next expected sequence numberthe only possible ending sequence number that can satisfythe retransmission check is the one equal to the next ex-pected sequence number

From the above description on how a TCP packet is han-dled it is not hard to tell that depending on whether thesequence number is in or out of window the TCP stack maybehave differently which can be observed by the on-devicemalware Specifically if it is an out-of-window packet with0-payload it most likely will not trigger any outgoing packetHowever if it is an in-window packet it immediately trig-gers an outgoing duplicate ACK packet As a result it ispossible to use the counter that records the total number ofoutgoing packets to tell if a guessed sequence number is inwindow

A similar observation has been made by the previousstudy in the Phrack magazine [1] The problem with theirapproach to infer sequence number is that such generalpacket counters can be very noisy mdash there may be back-ground traffic which can increment the system-wide outgo-ing packet counters It is especially problematic when thereceive window size is small mdash a large number of packetsneed to be sent and the probing is very likely to have limitedsuccess In fact we have implemented such sequence num-ber inference attack on a smartphone at home connectedto the broadband ISP through WiFi with 10Mbps down-link bandwidth Through 20 repeated experiments we findthat the inference always failed because of the noise of thebackground traffic

It is also worth noting that the error checks are performedat the very beginning preceding the sequence number check

which means that the corresponding error counters used bythe recent study [26] alone cannot provide any feedback ona guessed TCP sequence number

34 Sequence-Number-Dependent Counter inLinux

The reason why the Phrack attack [1] is difficult to carryout is two-fold (1) The required number of packets is toolarge an attacker needs to send at least one packet per re-ceive window in order to figure out the right sequence num-ber range (2) The counter that records the total number ofoutgoing packets is too noisy Subsequently we show thatboth problems can be addressed by using a newly discov-ered set of sequence-number-dependent packet counters thatincrement when the sequence number of an incoming packetmatches certain conditions

if (TCP_SKB_CB(skb)-gtend_seq = TCP_SKB_CB(skb)-gtseq

ampamp before(TCP_SKB_CB(skb)-gtseq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)hellip

Figure 3 tcp send dupack() source code snippet in Linux

Server-side sequence number inference We closelystudy the function tcp send dupack() which is called af-ter the sequence number check (depicted in Figure 2)Within the function we discover an interesting piece ofcode shown in Figure 3 The ldquoifrdquo condition says if thepacketrsquos starting sequence number is not equal to its end-ing sequence number (ie the packet has nonzero pay-load) and its starting sequence number is ldquobeforerdquo the ex-pected sequence number then a packet counter named De-layedACKLost is incremented (which is publicly accessiblefrom procnetnetstat) This particular logic is to detectlost delayed ACK packets sent previously and switch fromthe delayed ACK mode into the quick ACK mode [12] Thepresence of an oldretransmitted TCP packet is an indica-tion that the delayed ACKs were lost

The question is how ldquobefore()rdquo is implemented In Linux(and Mac OS) it basically subtracts an unsigned 32-bit in-teger from another unsigned 32-bit integer and converts theresult into a signed 32-bit integer This means that half ofthe sequence number space (ie 2G) is considered beforethe expected sequence number For instance two unsignedintegers 1G minus 2G would lead to an unsigned integer 3GWhen converting to an signed value we obtain -1G

The net effect of the tcp send dupack() is that it allows anattacker to easily determine if a guessed sequence numberis before or after the expected sequence number Since theDelayedACKLost counter very rarely increments naturally(See sect38) an attacker can use this counter as a clean andreliable side-channel

Binary search Using this special counter it is straight-forward to conduct a binary search on the expected sequencenumber Note that the process is significantly different thanthe one proposed in the earlier work [26] in that the earlierwork still requires sending one packet per ldquowindowrdquo whichresults in a total of thousands or tens of thousands of pack-ets Here as illustrated in Figure 4 the attacker only needsto send one packet each round and only a total of 32 packetsresulting in hardly any bandwidth requirement

Specifically as shown in the figure in the first iterationthe attacker can try the middle of the sequence number space(ie 2G) If the expected sequence number falls in the firsthalf (ie bin 1) the DelayedACKLost counter incrementsby 1 Otherwise (ie if it falls in bin 2) the counter remainsthe same Suppose the attacker finds that the expected se-quence number is in the first half after the first iteration inthe second iteration he can try 1G to further narrow downthe sequence number After log2 4G = 32 rounds (also 32packets) the exact sequence number can be pinpointed Thetotal inference time can be roughly calculated as 32timesRTT In reality the number of RTTs can be further reduced bystopping the inference at an earlier iteration For instance ifit is stopped at the 31st iterations the attacker would knowthat the sequence number is either X or X+1 Similarlyif the number of iterations is 22 the attacker knows thatthe sequence number is within [X X+1024) In many casesthis is sufficient because the attacker can still inject a singlepacket with payload of 1460 bytes and pad the first 1024bytes with whitespace (which effectively leaves 436 bytes ofeffective payload) For instance if the application-layer pro-tocol is HTTP the whitespace is safely ignored even if theyhappen to be accepted as part of the HTTP response

0 4G

(a) First iteration

(b) Second iteration

2G

1

Bin 1Counter++

0

of packets

of packets

Bin 2Counter += 0

1G 2G

1

Bin 1Counter++

Bin 2Counter += 0

Figure 4 Sequence number inference illustration using theDelayedACKLost packet counter (binary search)

N-way search To further improve the inference speedwe devise a variation of the ldquoN-way searchrdquo proposed in therecent work [26] The idea is similar mdash instead of eliminatinghalf of the sequence number space each iteration we caneliminate Nminus1

Nof the search space by simultaneously probing

N-1 of N equally-partitioned bins The difference is thatthe inference requires one or two orders of magnitude fewerpackets compared to the previously proposed search

Figure 5 illustrates the process of a 4-way search In thefirst iteration the search space is equally partitioned into4 bins The attacker sends one packet with sequence num-ber 1G three packets with sequence number 2G and twopackets with sequence number 3G If the expected sequencenumber falls in the first bin the DelayedACKLost counterincrements by 2 as the two packets sent with sequence num-ber 3G are considered before the expected sequence numberSimilarly the counter increments by a different number fordifferent bins In general as long as the number of packetssent for each bin follow the distance between two consecu-tive marks on a circularmodular Golomb ruler [3] the De-layedACKLost counter increment will be unique when theexpected sequence number falls in different bins

In the later iterations however a much simpler strategycan be used In Figure 5(b) an attacker can just send onepacket per bin instead of following the circular Golomb rulerThe reason is that now that the search space is reduced to

smaller than 2G it is no longer circular (unlike the firstiteration where the counter increment in the first bin can beimpacted by the fourth bin) Now if the sequence numberfalls in the first bin then the counter remains the same ifit falls in the second bin the counter will increment 1 andso on We discuss the realistic settings and performance ofdifferent ldquoNrdquo in sect37

0 4G

(a) First iteration

(b) A later iteration

2G1G 3G

1 3 2

Bin 1Counter += 2

0 250M

1

of packets

of packets

Bin 2Counter += 1

Bin 3Counter += 4

Bin 4Counter += 5

500M 750M 1G

1 1

Bin 1Counter += 0

Bin 2Counter += 1

Bin 3Counter += 2

Bin 4Counter += 3

Figure 5 Sequence number inference illustration using theDelayedACKLost packet counter (four-way search)

Client-side sequence number inference Sometimesit is necessary to infer the client-side sequence number forthe purpose of either injecting data to the victim serveror injecting data to the victim client with an appropri-ate ACK number The latter is currently unnecessary asLinuxAndroid and BSDMac OS allows half of the ACKnumber space to be valid [26] For the former we can stilluse the same DelayedACKLost counter to infer the ACKnumber

Specifically as discussed in sect33 the only ending sequencenumber that can satisfy the retransmission check is the oneequal to the next expected sequence number When thathappens the TCP stack increments the DelayedACKLostpacket counter again The source code of the retransmissioncheck is shown in Figure 6

Since the retransmission check is after the ACK num-ber check it allows an attacker to send a non-zero payloadpacket that has the ending sequence number equal to thenext expected sequence number with a guessed ACK num-ber If it does not pass the ACK number check the packetis dropped and the DelayedACKLost counter does not incre-ment Otherwise the packet is considered a retransmittedpacket and triggers the counter to increment Based on suchbehavior we can perform a binary search or N-way searchon the ACK number similar to the sequence number searchIn fact the procedure is mostly identical

if (after(TCP_SKB_CB(skb)-gtend_seq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)

hellip

Figure 6 Retransmission check source code snippet fromtcp data queue() in Linux

35 Sequence-Number-Dependent Countersin BSDMac OS

Inspired by the newly discovered counter in Linux wefurther conduct a survey on the latest FreeBSD source code

(version 10) Surprisingly we find that at least four pairsof packet counters can leak TCP sequence number Thecounters are confirmed to exist in Mac OS as well This find-ing shows that the sequence-number-dependent counters arewidely available and apparently considered safe to include inthe OS They are 1) rcvduppack and rcvdupbyte 2) rcvpack-afterwin and rcvbyteafterwin 3) rcvoopack and rcvoobyte 4)rcvdupack and rcvacktoomuch They can be either accessedthrough the standardldquonetstat -srdquo interface or sysctl API [11]

The first three pairs can be used to infer server-side se-quence numbers Specifically based on the source code thesemantic of rcvduppack is identical to that of DelayedACK-Lost rcvdupbyte however additionally provides informa-tion on the number of bytes (payload) carried in the incom-ing packets that are considered duplicate (with an old se-quence number) This counter greatly benefits the sequencenumber inference Following the same ldquoN-wayrdquo procedurethe first iteration can be improved by changing the ldquok pack-ets sent per binrdquo to ldquoa single packet with k bytes payloadrdquoThis improvement substantially reduces the number of pack-etsbytes sent in each iteration especially when ldquoNrdquo is large(shown in sect37)

The semantic of rcvpackafterwin and rcvbyteafterwin issimilar to rcvduppack and rcvdupbyte except that the for-mer increments only when the sequence number is biggerthan (instead of smaller than) certain sequence number XIn this case X is the expected sequence number plus thereceive window size rcvbyteafterwin can be used similarlyas rcvdupbyte to conduct the sequence number inference

rcvoopack and rcvoobyte differ from the previous two pairsThey increment only when packets arrive out of order ormore precisely when the sequence number is bigger thanthe expected sequence number yet smaller than the expectedsequence number plus the receive window size Even thoughan attacker needs to send a lot more packets to infer theTCP sequence number using this counter pair at least theycan be used to replace the original noisy side-channel in thePhrack attack [1] to improve success rate

rcvdupack and rcvacktoomuch are used to determine theclient-side sequence numbers Specifically the former in-crements when the ACK number of an incoming packetis smaller than or equal to the unacknowledged number(SNDUNA) The latter increments when the ACK num-ber is greater than the sequence number of the next origi-nal transmit (SNDMAX) The comparison again follows theldquounsigned integer to signed integer conversionrdquosuch that halfof the ACK number space is considered to match the condi-tion

We currently did not combine the counters together to im-prove the inference speed However we do realize there arepotential ways to speed things up For instance the rcvdup-byte and rcvdupack allows the client-side sequence numberinference to be piggybacked with the server-side sequencenumber inference

36 Sequence-Number-Dependent Countersin Microsoft Windows

Interestingly Microsoft Windows OSes do not appear toexpose such sequence-number-dependent counters and arethus not vulnerable to the attack On Windows 7 for ex-ample the TCP-related packet counters include the totalnumber of incoming packets outgoing packets and the num-ber of packets retransmitted from the output of ldquonetstat -

srdquo These packet counters do not leak sequence numbersdirectly

37 Inference Performance and OverheadWe have implemented the sequence number inference on

both Android (which incorporates the Linux kernel) andMac OS We are interested in the tradeoffs between differentstrategies in picking ldquoNrdquo in the ldquoN-way searchrdquo

Generally as ldquoNrdquo goes up the total number of bytes sentshould also increase Since the first iteration in the ldquoN-wayrdquosearch requires sending more bytes we pick a smaller ldquoNrdquofor the first iteration and a bigger ldquoNrdquo in the later iterationsto ensure that the number of bytes sent in each round issimilar In the Linux implementation we pick the followingpairs of N (22 46 830 1284) For Mac OS we pick(22 46 3450 82228) Here 46 means that we pickN=4 for the first iteration and N=6 for the later iterations

As shown in Figure 7 we can see that the general tradeoffis that the fewer iterations an attacker wants the more byteshe needs to send in total For instance when the number ofiterations is 4 an attacker on Linux needs to send 137KBWith the presence of the rcvdupbyte counter in Mac OS itrequires to send only 84KB This is a rather low networkresource requirement because it takes only 70ms to push84KB onto the wire with even just 1Mbps bandwidth Go-ing further down to 3 iterations requires sending 2775KBfor Mac OS Depending on the available bandwidth and theRTT we may or may not want to increase the number ofbytes to save one round trip

Next we pick N=3450 (4 round trips) for Mac OS at-tacks and N=830 (5 round trips) for Linux attacks (withroughly the same resource requirement) and plot the infer-ence time measured under various conditions We controlthe RTT between the attacker and the victim in three dif-ferent settings 1) The victim is in an office environment(enterprise-like) connected to the network using WiFi andthe attacker is in the same building (the RTT is around5-10ms) 2) The victim is in a home environment and theattacker is 50ms RTT away 3) The victim is in a home envi-ronment and the attacker is 100ms RTT away In Figure 8we see that in the first setting the inference time for Androidand Mac OS are 80ms and 50ms which are low enough todirectly launch injection attacks on HTTP connections withthe guarantee that the inference finishes before the first le-gitimate response packet comes back (also discussed laterin sect42) In fact inference time between 350ms and 700mscan be short enough in certain scenarios (see sect51)

38 Noisiness of Sequence-Number-Dependent Counters

So far we have claimed that these sequence-number-dependent counters are ldquocleanrdquo side-channels that rarely in-crement naturally even with background traffic To quanti-tatively support this claim we conduct a worse-case-scenarioexperiment as follows We open a YouTube video at thebackground and browse web pages at the same time to seehow often the counters get incremented Since it is easierto do the multi-tasking on Mac OS we choose it over theAndroid platform The Android counters should incrementeven less frequently since smartphones are rarely used forvideo streaming and web browsing simultaneously

We pick the rcvdupbyte counter (which is equivalent to De-layedACKLost on Linux) and run the experiments for about

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

Specifically as shown in the figure in the first iterationthe attacker can try the middle of the sequence number space(ie 2G) If the expected sequence number falls in the firsthalf (ie bin 1) the DelayedACKLost counter incrementsby 1 Otherwise (ie if it falls in bin 2) the counter remainsthe same Suppose the attacker finds that the expected se-quence number is in the first half after the first iteration inthe second iteration he can try 1G to further narrow downthe sequence number After log2 4G = 32 rounds (also 32packets) the exact sequence number can be pinpointed Thetotal inference time can be roughly calculated as 32timesRTT In reality the number of RTTs can be further reduced bystopping the inference at an earlier iteration For instance ifit is stopped at the 31st iterations the attacker would knowthat the sequence number is either X or X+1 Similarlyif the number of iterations is 22 the attacker knows thatthe sequence number is within [X X+1024) In many casesthis is sufficient because the attacker can still inject a singlepacket with payload of 1460 bytes and pad the first 1024bytes with whitespace (which effectively leaves 436 bytes ofeffective payload) For instance if the application-layer pro-tocol is HTTP the whitespace is safely ignored even if theyhappen to be accepted as part of the HTTP response

0 4G

(a) First iteration

(b) Second iteration

2G

1

Bin 1Counter++

0

of packets

of packets

Bin 2Counter += 0

1G 2G

1

Bin 1Counter++

Bin 2Counter += 0

Figure 4 Sequence number inference illustration using theDelayedACKLost packet counter (binary search)

N-way search To further improve the inference speedwe devise a variation of the ldquoN-way searchrdquo proposed in therecent work [26] The idea is similar mdash instead of eliminatinghalf of the sequence number space each iteration we caneliminate Nminus1

Nof the search space by simultaneously probing

N-1 of N equally-partitioned bins The difference is thatthe inference requires one or two orders of magnitude fewerpackets compared to the previously proposed search

Figure 5 illustrates the process of a 4-way search In thefirst iteration the search space is equally partitioned into4 bins The attacker sends one packet with sequence num-ber 1G three packets with sequence number 2G and twopackets with sequence number 3G If the expected sequencenumber falls in the first bin the DelayedACKLost counterincrements by 2 as the two packets sent with sequence num-ber 3G are considered before the expected sequence numberSimilarly the counter increments by a different number fordifferent bins In general as long as the number of packetssent for each bin follow the distance between two consecu-tive marks on a circularmodular Golomb ruler [3] the De-layedACKLost counter increment will be unique when theexpected sequence number falls in different bins

In the later iterations however a much simpler strategycan be used In Figure 5(b) an attacker can just send onepacket per bin instead of following the circular Golomb rulerThe reason is that now that the search space is reduced to

smaller than 2G it is no longer circular (unlike the firstiteration where the counter increment in the first bin can beimpacted by the fourth bin) Now if the sequence numberfalls in the first bin then the counter remains the same ifit falls in the second bin the counter will increment 1 andso on We discuss the realistic settings and performance ofdifferent ldquoNrdquo in sect37

0 4G

(a) First iteration

(b) A later iteration

2G1G 3G

1 3 2

Bin 1Counter += 2

0 250M

1

of packets

of packets

Bin 2Counter += 1

Bin 3Counter += 4

Bin 4Counter += 5

500M 750M 1G

1 1

Bin 1Counter += 0

Bin 2Counter += 1

Bin 3Counter += 2

Bin 4Counter += 3

Figure 5 Sequence number inference illustration using theDelayedACKLost packet counter (four-way search)

Client-side sequence number inference Sometimesit is necessary to infer the client-side sequence number forthe purpose of either injecting data to the victim serveror injecting data to the victim client with an appropri-ate ACK number The latter is currently unnecessary asLinuxAndroid and BSDMac OS allows half of the ACKnumber space to be valid [26] For the former we can stilluse the same DelayedACKLost counter to infer the ACKnumber

Specifically as discussed in sect33 the only ending sequencenumber that can satisfy the retransmission check is the oneequal to the next expected sequence number When thathappens the TCP stack increments the DelayedACKLostpacket counter again The source code of the retransmissioncheck is shown in Figure 6

Since the retransmission check is after the ACK num-ber check it allows an attacker to send a non-zero payloadpacket that has the ending sequence number equal to thenext expected sequence number with a guessed ACK num-ber If it does not pass the ACK number check the packetis dropped and the DelayedACKLost counter does not incre-ment Otherwise the packet is considered a retransmittedpacket and triggers the counter to increment Based on suchbehavior we can perform a binary search or N-way searchon the ACK number similar to the sequence number searchIn fact the procedure is mostly identical

if (after(TCP_SKB_CB(skb)-gtend_seq tp-gtrcv_nxt))

NET_INC_STATS_BH(sock_net(sk)

LINUX_MIB_DELAYEDACKLOST)

hellip

Figure 6 Retransmission check source code snippet fromtcp data queue() in Linux

35 Sequence-Number-Dependent Countersin BSDMac OS

Inspired by the newly discovered counter in Linux wefurther conduct a survey on the latest FreeBSD source code

(version 10) Surprisingly we find that at least four pairsof packet counters can leak TCP sequence number Thecounters are confirmed to exist in Mac OS as well This find-ing shows that the sequence-number-dependent counters arewidely available and apparently considered safe to include inthe OS They are 1) rcvduppack and rcvdupbyte 2) rcvpack-afterwin and rcvbyteafterwin 3) rcvoopack and rcvoobyte 4)rcvdupack and rcvacktoomuch They can be either accessedthrough the standardldquonetstat -srdquo interface or sysctl API [11]

The first three pairs can be used to infer server-side se-quence numbers Specifically based on the source code thesemantic of rcvduppack is identical to that of DelayedACK-Lost rcvdupbyte however additionally provides informa-tion on the number of bytes (payload) carried in the incom-ing packets that are considered duplicate (with an old se-quence number) This counter greatly benefits the sequencenumber inference Following the same ldquoN-wayrdquo procedurethe first iteration can be improved by changing the ldquok pack-ets sent per binrdquo to ldquoa single packet with k bytes payloadrdquoThis improvement substantially reduces the number of pack-etsbytes sent in each iteration especially when ldquoNrdquo is large(shown in sect37)

The semantic of rcvpackafterwin and rcvbyteafterwin issimilar to rcvduppack and rcvdupbyte except that the for-mer increments only when the sequence number is biggerthan (instead of smaller than) certain sequence number XIn this case X is the expected sequence number plus thereceive window size rcvbyteafterwin can be used similarlyas rcvdupbyte to conduct the sequence number inference

rcvoopack and rcvoobyte differ from the previous two pairsThey increment only when packets arrive out of order ormore precisely when the sequence number is bigger thanthe expected sequence number yet smaller than the expectedsequence number plus the receive window size Even thoughan attacker needs to send a lot more packets to infer theTCP sequence number using this counter pair at least theycan be used to replace the original noisy side-channel in thePhrack attack [1] to improve success rate

rcvdupack and rcvacktoomuch are used to determine theclient-side sequence numbers Specifically the former in-crements when the ACK number of an incoming packetis smaller than or equal to the unacknowledged number(SNDUNA) The latter increments when the ACK num-ber is greater than the sequence number of the next origi-nal transmit (SNDMAX) The comparison again follows theldquounsigned integer to signed integer conversionrdquosuch that halfof the ACK number space is considered to match the condi-tion

We currently did not combine the counters together to im-prove the inference speed However we do realize there arepotential ways to speed things up For instance the rcvdup-byte and rcvdupack allows the client-side sequence numberinference to be piggybacked with the server-side sequencenumber inference

36 Sequence-Number-Dependent Countersin Microsoft Windows

Interestingly Microsoft Windows OSes do not appear toexpose such sequence-number-dependent counters and arethus not vulnerable to the attack On Windows 7 for ex-ample the TCP-related packet counters include the totalnumber of incoming packets outgoing packets and the num-ber of packets retransmitted from the output of ldquonetstat -

srdquo These packet counters do not leak sequence numbersdirectly

37 Inference Performance and OverheadWe have implemented the sequence number inference on

both Android (which incorporates the Linux kernel) andMac OS We are interested in the tradeoffs between differentstrategies in picking ldquoNrdquo in the ldquoN-way searchrdquo

Generally as ldquoNrdquo goes up the total number of bytes sentshould also increase Since the first iteration in the ldquoN-wayrdquosearch requires sending more bytes we pick a smaller ldquoNrdquofor the first iteration and a bigger ldquoNrdquo in the later iterationsto ensure that the number of bytes sent in each round issimilar In the Linux implementation we pick the followingpairs of N (22 46 830 1284) For Mac OS we pick(22 46 3450 82228) Here 46 means that we pickN=4 for the first iteration and N=6 for the later iterations

As shown in Figure 7 we can see that the general tradeoffis that the fewer iterations an attacker wants the more byteshe needs to send in total For instance when the number ofiterations is 4 an attacker on Linux needs to send 137KBWith the presence of the rcvdupbyte counter in Mac OS itrequires to send only 84KB This is a rather low networkresource requirement because it takes only 70ms to push84KB onto the wire with even just 1Mbps bandwidth Go-ing further down to 3 iterations requires sending 2775KBfor Mac OS Depending on the available bandwidth and theRTT we may or may not want to increase the number ofbytes to save one round trip

Next we pick N=3450 (4 round trips) for Mac OS at-tacks and N=830 (5 round trips) for Linux attacks (withroughly the same resource requirement) and plot the infer-ence time measured under various conditions We controlthe RTT between the attacker and the victim in three dif-ferent settings 1) The victim is in an office environment(enterprise-like) connected to the network using WiFi andthe attacker is in the same building (the RTT is around5-10ms) 2) The victim is in a home environment and theattacker is 50ms RTT away 3) The victim is in a home envi-ronment and the attacker is 100ms RTT away In Figure 8we see that in the first setting the inference time for Androidand Mac OS are 80ms and 50ms which are low enough todirectly launch injection attacks on HTTP connections withthe guarantee that the inference finishes before the first le-gitimate response packet comes back (also discussed laterin sect42) In fact inference time between 350ms and 700mscan be short enough in certain scenarios (see sect51)

38 Noisiness of Sequence-Number-Dependent Counters

So far we have claimed that these sequence-number-dependent counters are ldquocleanrdquo side-channels that rarely in-crement naturally even with background traffic To quanti-tatively support this claim we conduct a worse-case-scenarioexperiment as follows We open a YouTube video at thebackground and browse web pages at the same time to seehow often the counters get incremented Since it is easierto do the multi-tasking on Mac OS we choose it over theAndroid platform The Android counters should incrementeven less frequently since smartphones are rarely used forvideo streaming and web browsing simultaneously

We pick the rcvdupbyte counter (which is equivalent to De-layedACKLost on Linux) and run the experiments for about

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

(version 10) Surprisingly we find that at least four pairsof packet counters can leak TCP sequence number Thecounters are confirmed to exist in Mac OS as well This find-ing shows that the sequence-number-dependent counters arewidely available and apparently considered safe to include inthe OS They are 1) rcvduppack and rcvdupbyte 2) rcvpack-afterwin and rcvbyteafterwin 3) rcvoopack and rcvoobyte 4)rcvdupack and rcvacktoomuch They can be either accessedthrough the standardldquonetstat -srdquo interface or sysctl API [11]

The first three pairs can be used to infer server-side se-quence numbers Specifically based on the source code thesemantic of rcvduppack is identical to that of DelayedACK-Lost rcvdupbyte however additionally provides informa-tion on the number of bytes (payload) carried in the incom-ing packets that are considered duplicate (with an old se-quence number) This counter greatly benefits the sequencenumber inference Following the same ldquoN-wayrdquo procedurethe first iteration can be improved by changing the ldquok pack-ets sent per binrdquo to ldquoa single packet with k bytes payloadrdquoThis improvement substantially reduces the number of pack-etsbytes sent in each iteration especially when ldquoNrdquo is large(shown in sect37)

The semantic of rcvpackafterwin and rcvbyteafterwin issimilar to rcvduppack and rcvdupbyte except that the for-mer increments only when the sequence number is biggerthan (instead of smaller than) certain sequence number XIn this case X is the expected sequence number plus thereceive window size rcvbyteafterwin can be used similarlyas rcvdupbyte to conduct the sequence number inference

rcvoopack and rcvoobyte differ from the previous two pairsThey increment only when packets arrive out of order ormore precisely when the sequence number is bigger thanthe expected sequence number yet smaller than the expectedsequence number plus the receive window size Even thoughan attacker needs to send a lot more packets to infer theTCP sequence number using this counter pair at least theycan be used to replace the original noisy side-channel in thePhrack attack [1] to improve success rate

rcvdupack and rcvacktoomuch are used to determine theclient-side sequence numbers Specifically the former in-crements when the ACK number of an incoming packetis smaller than or equal to the unacknowledged number(SNDUNA) The latter increments when the ACK num-ber is greater than the sequence number of the next origi-nal transmit (SNDMAX) The comparison again follows theldquounsigned integer to signed integer conversionrdquosuch that halfof the ACK number space is considered to match the condi-tion

We currently did not combine the counters together to im-prove the inference speed However we do realize there arepotential ways to speed things up For instance the rcvdup-byte and rcvdupack allows the client-side sequence numberinference to be piggybacked with the server-side sequencenumber inference

36 Sequence-Number-Dependent Countersin Microsoft Windows

Interestingly Microsoft Windows OSes do not appear toexpose such sequence-number-dependent counters and arethus not vulnerable to the attack On Windows 7 for ex-ample the TCP-related packet counters include the totalnumber of incoming packets outgoing packets and the num-ber of packets retransmitted from the output of ldquonetstat -

srdquo These packet counters do not leak sequence numbersdirectly

37 Inference Performance and OverheadWe have implemented the sequence number inference on

both Android (which incorporates the Linux kernel) andMac OS We are interested in the tradeoffs between differentstrategies in picking ldquoNrdquo in the ldquoN-way searchrdquo

Generally as ldquoNrdquo goes up the total number of bytes sentshould also increase Since the first iteration in the ldquoN-wayrdquosearch requires sending more bytes we pick a smaller ldquoNrdquofor the first iteration and a bigger ldquoNrdquo in the later iterationsto ensure that the number of bytes sent in each round issimilar In the Linux implementation we pick the followingpairs of N (22 46 830 1284) For Mac OS we pick(22 46 3450 82228) Here 46 means that we pickN=4 for the first iteration and N=6 for the later iterations

As shown in Figure 7 we can see that the general tradeoffis that the fewer iterations an attacker wants the more byteshe needs to send in total For instance when the number ofiterations is 4 an attacker on Linux needs to send 137KBWith the presence of the rcvdupbyte counter in Mac OS itrequires to send only 84KB This is a rather low networkresource requirement because it takes only 70ms to push84KB onto the wire with even just 1Mbps bandwidth Go-ing further down to 3 iterations requires sending 2775KBfor Mac OS Depending on the available bandwidth and theRTT we may or may not want to increase the number ofbytes to save one round trip

Next we pick N=3450 (4 round trips) for Mac OS at-tacks and N=830 (5 round trips) for Linux attacks (withroughly the same resource requirement) and plot the infer-ence time measured under various conditions We controlthe RTT between the attacker and the victim in three dif-ferent settings 1) The victim is in an office environment(enterprise-like) connected to the network using WiFi andthe attacker is in the same building (the RTT is around5-10ms) 2) The victim is in a home environment and theattacker is 50ms RTT away 3) The victim is in a home envi-ronment and the attacker is 100ms RTT away In Figure 8we see that in the first setting the inference time for Androidand Mac OS are 80ms and 50ms which are low enough todirectly launch injection attacks on HTTP connections withthe guarantee that the inference finishes before the first le-gitimate response packet comes back (also discussed laterin sect42) In fact inference time between 350ms and 700mscan be short enough in certain scenarios (see sect51)

38 Noisiness of Sequence-Number-Dependent Counters

So far we have claimed that these sequence-number-dependent counters are ldquocleanrdquo side-channels that rarely in-crement naturally even with background traffic To quanti-tatively support this claim we conduct a worse-case-scenarioexperiment as follows We open a YouTube video at thebackground and browse web pages at the same time to seehow often the counters get incremented Since it is easierto do the multi-tasking on Mac OS we choose it over theAndroid platform The Android counters should incrementeven less frequently since smartphones are rarely used forvideo streaming and web browsing simultaneously

We pick the rcvdupbyte counter (which is equivalent to De-layedACKLost on Linux) and run the experiments for about

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

85 minutes The video is long enough that it has not beenfully buffered by the end of the experiment To quantifythe counter noisiness we break down the time into 30ms in-tervals to mimic the window of exposure during one roundof probing and then count how many intervals in whichwe observe any counter increment As expected there areonly 10 intervals out of 16896 that have the increment Thisindicates that the probability that the counter incrementsdue to noise and interference with one round of probing isroughly 0059 Even if there are 22 rounds (worse case)the probability that the entire probing will be affected bythe counter noisiness is only 12

4 DESIGN AND IMPLEMENTATION OFTCP ATTACKS

In the previous section we described how to infer TCPsequence number efficiently and reliably using the newly dis-covered set of sequence-number-dependent packet countersSince the sequence number inference only takes less than asecond it can be fast enough to launch many application-layer attacks In this section we discuss four possible TCPattacks that can be launched against a variety of applica-tions All of the attacks leverage the TCP sequence numberinference as the essential building block but the main dif-ference is in the timing and reliability with slightly differentrequirements We have implemented the attacks on bothAndroid and Mac OS We use Android as the example fordescription

Injection vs Hijacking Using the same terminology as arecent work [26] we define TCP hijacking to be the morepowerful attack than TCP injection Specifically TCP hi-jacking allows an attacker to inject packets right after theTCP 3-way handshake For instance it enables an attackerto inject a complete HTTP response without any interfer-ence In contrast TCP Injection is more general and doesnot require this capability

The four attacks are named as (1) client-side TCP Injec-tion (2) passive TCP hijacking (3) active TCP hijacking(4) server-side TCP injection

41 Attack RequirementsThere are a number of base requirements that need to

be satisfied for all of these TCP attacks Note that ourattacks have much fewer requirements than the one proposedin the recent study [26] Specifically we do not require afirewall middlebox in the network which makes our attacksapplicable in a much more general environment

The set of requirements include (1) malware on the clientwith Internet access (2) malware that can run in the back-ground and read packet counters (3) malware that canread the list of active TCP connections and their four tu-ples and (4) a predictable external port number if NATis deployed The first three requirements are straightfor-ward All of the Android applications can easily request In-ternet access read packet counters (ieprocnetnetstatand procnetsnmp or ldquonetstat -srdquo) and read active TCPconnectionsrsquo four tuples (eg through procnettcp andprocnettcp6 or ldquonetstatrdquo) The requirements can be eas-ily satisfied on most modern OSes as well In addition anoff-path attacker needs the clientrsquos external port mapping tochoose the correct four tuples when sending probing packetsso we need the fourth requirement This requirement is also

commonly satisfied since many NAT mapping types allowthe external port to be predictable to facilitate NAT traver-sal For instance our home routers directly map the internalports to the external ports According to recent measure-ment studies on the NAT mapping types [21 31] the major-ity of the NATs studied do have predictable external portsFurther even if the prediction is not 100 accurate attacksmay still succeed by guessing the mappings

Additional requirements for passive TCP hijacking are C1and S1

(C1) Client-side ISN has only the lower 24-bit random-ized This requirement is necessary so that the malwarecan roughly predict the range of the ISN of a newly createdTCP connection In Linux kernels earlier than 302 theISN generation algorithm is designed such that ISNs for dif-ferent connections are not completely independent Insteadthe high 8 bits for all ISNs is a global number that incre-ments slowly (every five minutes) This feature is designedto balance security reliability and performance It is longperceived as a good optimization with the historical detailsand explanations in this article [5] The result of this designis that the ISN of two back-to-back connections will be atmost 224 = 16 777 216 apart Even though it is a designdecision and not considered a ldquovulnerabilityrdquo since Linux302 the kernel has changed the ISN generation algorithmsuch that two consecutive connections will have independentISNs The majority of Android systems that are on the mar-ket are still on Linux 26XX which means that they are allvulnerable to the passive TCP hijacking attack

(S1) The legitimate server has a host-based stateful TCPfirewall Such a firewall is capable of dropping out-of-stateTCP packets Many websites such as Facebook and Twitterdeploy such host firewalls to reduce malicious traffic Forinstance iptables can be easily configured to achieve thispurpose [10] Interestingly as we will discuss later this se-curity feature on the server actually enables TCP hijackingattacks

In order to perform active TCP hijacking attacks the ad-ditional requirements include S1 and C2

(C2) Client-side ISN monotonically incrementing for thesame four tuples This client-side requirement is in fact ex-plicitly defined in RFC 793 [9] to prevent packets of old con-nections with in-range sequence numbers from being ac-cepted by the current connection mistakenly Even thoughthe latest Linux kernel has eliminated the requirement C1C2 is still preserved

42 Client-Side TCP InjectionIn this attack an attacker attempts to inject malicious

data into a connection established by other apps on thephone The essential part of the attack is the TCP sequencenumber inference which has already been described in de-tail The challenge is that the injected data may competewith the data sent from the legitimate server For instanceconsidering the connection under attack is an HTTP sessionwhere a valid HTTP response typically follows immediatelyafter the request is sent by the time the sequence numberinference is done at least part of the HTTP response is al-ready sent by the server The injected HTTP packets likelycan only corrupt the response and cause denial of serviceinstead of serious damage

Even though the timing requirement sounds difficult tosatisfy we did implement this attack against websites such

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

0

5

10

15

20

25

30

2 4 6 8 10 12 14 16 18 20 22

tota

l

of

byte

s r

eq

uire

d (

KB

)

of round trips (iterations)

AndroidMac

Figure 7 Tradeoff between inferencespeed and overhead

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Infe

rence tim

e (

ms)

RTT between attacker and client (ms)

AndroidMac

Figure 8 Relationship between RTTand inference time

Off-path attacker

Legit Server

Victim App

Unprivileged malware

Phone

Co

nn

ectio

n re

set

6 Seq number inference -- start

7 Seq number inference -- end

8 Malicious response

4 Spoofed RSTs

1 SYN

5 ACKrequest

3 SYN-ACK (seq = Y)

2 Notification of new conn

Figure 9 Passive TCP hijacking se-quence

Off-path attacker

Legit Server

Victim App

Unprivileged malware

PhoneC

on

ne

ction

rese

t

9 Seq number inference -- start

10 Seq number inference -- end

11 Malicious response

8 Spoofed RSTs

1 Conn(X)

6 Conn(X)

3 Seq + ACK inference -- start

2 Notification of conn(X)

4 Seq + ACK inference -- end

7 Notification of conn(X)

5 Port jamming

Figure 10 Active TCP hijacking se-quence

as Facebook where we are able to inject malicious Javascriptsto post new status on behalf of a victim user The detail isdescribed in sect51

The idea is to leverage two common scenarios (1) Theserver may take a long time to process a request and as-semble the response This is especially common as manyservices (websites) take longer than 100ms or more to pro-cess a request The fact that the sequence number inferencetime in certain scenarios (when RTT from the server to theclient is small) can be made below 100ms makes the injectionattack as powerful as hijacking (2) A single TCP connec-tion is reused for more than one pair of HTTP request andresponse The idea is to use the inferred sequence numberfor injecting malicious data not on the first HTTP requestbut the later ones In both cases an attacker has enoughtime to conduct sequence number inference

43 Passive TCP HijackingPassive TCP hijacking allows an attacker to hijack TCP

connections that are passively detected This means that theattacker can hijack TCP connections issued by the browseror any other app regardless of how and when they are madeIt is the most powerful TCP attack in this study As demon-strated in sect5 with this attack it is possible to replace theFacebook login page with a phishing one

The high-level idea is the same as proposed in the recentwork [26] which is to reset the connection on the legitimateserver as soon as possible to allow the attacker to claim tobe the legitimate server talking to the victim The key isthat such reset has to be triggered right after the legitimateserver sends SYN-ACK Requirement C1 allows the mal-ware and the attacker to predict the rough range of victimrsquosISN and send reset packets with sequence numbers in thatrange This is helpful because the attacker is required tosend fewer spoofed RST packets (thus with lower bandwidthrequirement) compared to enumerating the entire 4G spaceFurther after the legitimate server is reset requirement S1is necessary since it helps prevent the legitimate server fromgenerating RST upon receiving out-of-state data or ACKpackets from the victim

The attack sequence diagram is shown in Figure 9 Timesteps 1 to 3 are the same as the previous attack where the un-privileged malware detects and reports the newly established

TCP connection In addition the malware also needs to es-tablish a connection to the off-path attacker to report thecurrent ISN value (high 8 bits) With this information attime 4 the off-path attacker can flood the legitimate serverwith a number of spoofed RSTs enumerating the lower 24bits (sequence numbers can increment by a step size as largeas the serverrsquos receive window size) Note that the RSTpackets have to arrive before the ACKrequest packets attime 5 otherwise the server may send back the responsepackets before the attacker Of course the server may needsome time to process the request as well which can varyfrom case to case allowing the attacker additional time tocomplete the reset procedure After the legitimate serverrsquosconnection is reset all future packets from the victim appwill be considered out-of-state and silently dropped due torequirement S1 For instance the ACK packet received attime 5 is silently discarded From time 6 to 7 the attackerconducts the sequence number inference described earlierand injects malicious content afterwards at time 8 with theinferred sequence number A more detailed analysis on thebandwidth and time requirement is discussed in a similarsetting in a prior work [26]

44 Server-side TCP InjectionIn this attack an attacker tries to inject malicious payload

into a victim connection destined for the server (as opposedto the client) For instance as shown in the case study in sect5we are able to target at Windows live messenger protocolsto inject malicious commands to cause persistent changes tothe victim user account eg adding new friends or removingexisting friends

This attack is straightforward by combining the sequencenumber inference and ACK number inference as describedin sect3 We omit the detailed attack sequence as it does notinclude other important steps This attack has no additionalrequirements besides the base requirements In general ap-plications with unencrypted and stateful protocols are goodattack targets

45 Active TCP HijackingIn this attack an attacker attempts to hijack connections

However because the latest Linux kernel since 302 has theentire 32-bit randomized for ISNs of different four tuples

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

requirement C1 is no longer satisfied In this case we showthat it is still possible to launch a weaker version of TCPhijacking by ldquoactivelyrdquo performing offline analysis as long asrequirement C2 is satisfied As shown in sect5 we have success-fully used the port-jamming-assisted active TCP hijackingto replace a Facebook login page with a phishing one

Requirement C2 specifies that the ISN for the same four-tuple always increments with time This implies that as longas an attacker can infer the clientrsquos ISN for a particular four-tuple once he can store the value for a future connectionthat reuses the same four-tuple and reset the server usingthe stored ISN (plus the increment by time) so that theattacker can hijack the connection

The detailed attack sequence is demonstrated in Fig-ure 10 at time 1 the unprivileged malware establishes aconnection on its own to a target server of interest (egFacebook server) and notifies the off-path attacker imme-diately (at time 2) so that it can infer the client ISN of theused four tuples (through time 3 to 4) Now assuming thatthe attacker knows that a victim app is about to initiate aconnection to the same server an attacker can immediatelyperform port jamming to exhaust all the local port numbers(at time 5) so that the victim apprsquos connection can only usethe local port number that was in the inferred four tuples(we will describe how port jamming can be done later) Nowthat the victim connection reuses the same four tuples themalware can immediately notify the off-path attacker (attime 6) which uses the previously inferred client-side ISNto reset the server (at time 7) Subsequently the attacksequence is identical to the end of passive TCP hijacking

In the above attack sequence one critical part is theknowledge of when the victim app initiates the connection tothe target website One simple strategy is to actively triggerthe victim app to make the connection through the unpriv-ileged malware On Android for instance any app coulddirectly invoke the browser going to a given URL beforewhich the attacker can perform the port jamming

One alternative strategy is to perform offline analysis onas many four tuples as possible so that it can essentially ob-tain the knowledge of ISN for all possible four tuples goingto a particular website (without requiring port jamming)This way after the offline analysis is performed the attackerbasically can launch passive TCP hijacking on any of thefour tuples that have been previously analyzed Since eachclient-side ISN inference should take a little over a secondan attacker can infer for instance 1000 four tuples in 15minutes Even though a connection to Facebook may have1 probability falling in the range the user may repeatedlyvisit the website and the probability that all of the connec-tions failing to match any existing four tuples is likely verylow We have verified that the ISN for the same four-tupledoes increment consistently over time for over an hour Wesuspect that the cryptographic key for computing ISN doesnot change until reboot in Linux 302 and above

To jam local ports the unprivileged malware can simplystart a local server then open many connections to the localserver intentionally occupying most of the local port exceptthe ones that are previously seen for inference One chal-lenge is that the OS may limit the total number of ports thatan application can occupy thus preventing the attacker fromopening too many concurrent connections Interestingly wefind such limit can be bypassed if the established connectionsare immediately closed (which no longer counts towards the

limit) The local port numbers are not immediately releasedsince the closed connections enter the TCP TIME WAITstate for a duration of 1 to 2 minutes

5 ATTACK IMPACT ANALYSIS FROMCASE STUDIES

Experiment setup As discussed earlier even though ourattacks are implemented on both Android and Mac OS wechoose to focus on Android in our implementation and ex-periments We use two different phones Motorola Atrix andSamsung Captivate We verified that all attacks work onboth Android phones although the experimental results arerepeated based on Atrix The WiFi networks include a homenetwork and a university network The off-path attacker ishosted on one or more Planetlab nodes in California

We describe four case studies corresponding to the fourTCP attacks proposed in the previous section We alsopresent experimental results such as how likely we can suc-ceed in hijacking the Facebook login page based on repeatedexperiments

For all attacks we implemented the malware as a benignapp that has the functionality of downloading wallpapersfrom the Internet (thus justifying the Internet permission)Since the malware needs to scan netstat (or procnettcpand procnettcp6 equivalently) for new connection detec-tion which can drain the phonersquos battery very quickly wemake the malware stealthy such that it only scans for newconnections when it detects that the victim app of interestis at the foreground This can be achieved by querying eachapprsquos IMPORTANCE FOREGROUND flag which is typi-cally set by the Android OS whenever it is brought to theforeground Further the malware queries the packet counteronly when the off-path attacker instructs it to do so Themalware is only used in our controlled experiment environ-ments without affecting real users

Note that most apps except the browser on the smart-phones do not have an indication about whether the con-nection is using SSL which means that the users may becompletely unaware of the potential security breach for un-encrypted connections (eg HTTP connections used in theFacebook app)

51 Facebook Javascript InjectionWe launch the attack based on client-side TCP injec-

tion as described in sect42 Recall that the injection can hap-pen only after the sequence number inference finishes If theinference cannot be done earlier than the response comesback the attacker will miss the window of opportunity

By examining the packet trace generated by visiting theFacebook website where a user is already logged in we iden-tify two possible ways to launch the Javascript injection at-tack The first attack is surprisingly straightforward Ba-sically when the user visits mfacebookcom the browserissues an HTTP request that fetches all recent news We ob-serve that it consistently takes the server more than 15 sec-onds to process the request before sending back the first re-sponse packet According to our results in sect37 the inferencetime usually finishes within 07s even when RTT=100ms Itallows enough time for an attacker to inject the maliciousresponse in time (or inject a phishing login page as well)As shown in Table 1 the success rate is 875 based on40 repeated experiments in our home environment where

RTTa=70ms1 RTTa=100msSucc Rate 975 (3940) 875 (3540)1 RTTa is the RTT between the attacker and the client

Table 1 Success rate of Facebook Javascript injection (case study 1)

RTT=100ms It goes up to 975 when the experiment isconducted in the university network where RTT=70ms Thefailed cases are mostly due to packet loss

The second attack is based on the observation that mul-tiple requests are issued over the same TCP connection tothe Facebook site Even if the attacker is not able to in-fer the sequence number in time to inject response for thefirst request (eg Facebook may improve the server pro-cessing time in the future) he can still perform inferencefor the second request Specifically if the user visits theroot page on Facebook the browser on one of the Androidphones (Samsung Captivate) will send two HTTP requeststhe first request is asking for the recent news the secondrequest seems to be related to prefetching (eg retrievingthe friend list information in case a user clicks on any friendfor detailed information)

Since there is a delay of about 1s between the end of thefirst request and the start of the second request an attackercan monitor if the sequence number remains the same for acertain period of time to detect the end of the first responseFurthermore the second request takes about 100ms to pro-cess on the server A simple strategy that an attacker canemploy is to just wait for around 11s before injecting themalicious response for the second request A more sophis-ticated attacker could also monitor the start of the secondrequest by tracking the current ACK number Specificallywhen the second request is sent the valid ACK numberrange moves forward by the number of bytes in the requestpayload

In our proof-of-concept implementation we always injectthe Javascript after waiting for a fixed amount of time afterthe connection is detected which can already succeed fora few times However a more sophisticated attacker candefinitely do better

52 Phishing Facebook Login PageWe launch this attack based on passive TCP hijack

which passively monitors if a new connection to Facebookis made In this case study we look at how to replace theFacebook login page by resetting the Facebook immediatelyafter it has responded with SYN-ACK

We assume that the user is not already logged in to Face-book Otherwise as described in the previous attack theserver processing delay for the first HTTP request is so longthat is is too easy to succeed When the user is not loggedin the server processing delay will become negligible andthe effective time window for reset to succeed is basically asingle round trip time This scenario is also generic enoughthat the attack can be applied for many other websites suchas twittercom

In Table 2 we show how likely the attack can succeed un-der different conditions For instance when therersquos a singlePlanetlab node the success rate is a little below 50 How-ever when we use two nodes for latency values of 70ms and100ms respectively the success rate increases significantly to625 and 825 indicating that we have more bandwidth

to reset the server In addition the result also verifies thatthe larger the RTT the more likely the attack can succeed

Note that the 100ms RTT to Facebook may sound verylarge given the popularity of CDN services However theCDNs are mostly used for hosting static contents such asimages and Javascripts For webpages that are highly cus-tomized and dynamic (eg personalized Facebook newsfeed) they are very likely to be stored on the main server ina single location (eg Facebook main servers are hosted inCalifornia) We find that this is a common design for manysites with dynamic contents (eg twitter)

53 Command Injection on Windows LiveMessenger

Leveraging server-side TCP injection describedin sect44 the case study of command injection attack on Win-dows Live Messenger is an interesting example of server-sideattack carried out on a connection where the user is alreadylogged in The main connection of Windows Live Messengerruns on port 1863 and uses Microsoft Notification Protocol(MSNP) which is a complex instant messenger protocol de-veloped by Microsoft [6] Many Windows Live Messengerclients on Android as well as the ones on the desktops (in-cluding official ones) use plaintext in their connections thusallowing the attack Once upon the detection of a vulner-able Windows Live Messenger app running or a connectionestablished to known port numbers and IP addresses thatare associated with the app an attacker can launch this at-tack

We have verified that the commands that are possible toinject into the server include but not limited to (1) addinga new friend or removing an existing friend (specified by theaccount email address) (2) changing the status messagesand (3) sending messages to friends Given that the messen-ger client is idle most of the time and the fact that the client-side sequence number inference only takes 2ndash3 seconds theattack can be launched fairly easily The commands cancause serious damage For instance the add-friend com-mand allows an attacker to add its malicious account as afriend which can subsequently send spam or phishing mes-sages In addition after being added as a friend the attackercan read the friend list (email accounts) of the victim userdelete them or spam them Finally new status posting canbe part of the phishing attack against the friends as well

54 Restricted Facebook Login Page HijackThis attack is launched based on active TCP hijack as

described in sect45 The goal of this attack is still to hijackTCP connections However due to the lack of ability toreset the server-side connection in the new version of theLinux kernel it requires offline analysis on the client-sideISN of the target four tuples

In our implementation we develop a simple Android testmalware that performs the offline analysis right after it isstarted The four tuples we target include a pre-selectedlocal port and the Facebook server IP thatrsquos resolved formfacebookcom After the analysis the attack takes a lit-

One Planetlab node Two Planetlab nodesRTTb=70ms1 RTTb=100ms RTTb=70ms RTTb=100ms

Succ Rate 425 (1740) 475 (1940) 625 (2540) 825 (3340)1 RTTb is the RTT between the attacker and the Facebook server

Table 2 Success rate of Facebook login page injection (case study 2)

tle over one second and it performs port jamming immedi-ately (which takes about 5 seconds) After this our mal-ware app immediately sends an Intent that asks to openmfacebookcom through the browser An attacker maycome up with reasons such as asking a user to use his Face-book account to register for the app When the browserstarts the connection to Facebook the malware works withthe off-path attacker to hijack the connection (as describedin sect45) We have verified that the Facebook login page canindeed be hijacked following these steps

The main difficulty in this attack is not about successfullyinferring the sequence number Instead it requires the userto be convinced that the app indeed has a relationship withthe target website (ie Facebook) so that the user will enterhis password into the browser

6 DISCUSSION AND CONCLUSIONFrom these real attacks there are a few lessons that

we learn (1) Even though OS statistics are aggregatedand seemingly harmless they can leak critical internal net-worksystem state through unexpected interactions from theon-device malware and the off-path attacker Similar obser-vations have been made recently in a few other studies aswell eg using procfs as side channels [22] Our studyreveals specifically that the packet counters can leak TCPsequence numbers (2) Our systems today still have toomuch shared state the active TCP connection list sharedamong all apps (through netstat or procfs) the IP address ofthe malwarersquos connection and other appsrsquo the global packetcounters Future system and network design should carefullyevaluate what information an adversary can obtain throughthese shared state

On the defense side there are a few measures that mayimprove security (1) always using SSLTLS (2) removingunnecessary global state (such as the active TCP connectionlist and packet counters) or only allow privileged programsto access such state (3) providing better isolation amongresources eg providing a separate set of packet countersfor each app With IPv6 widely deployed we may evenprovide different source IP addresses for connections in dif-ferent processes on a device so that malware will not be ableto learn the IP address of the connection established by an-other process In the extreme case each app may run in itsown virtual machine

To conclude we have demonstrated an important typeof TCP sequence number inference attack enabled by hostpacket counter side-channels under a variety of client OSand network settings We also offer insights on why theyoccur and how they can be mitigated

7 REFERENCES

[1] Blind TCPIP Hijacking is Still Alive httpwwwphrackorgissuesphpissue=64ampid=15

[2] CERT Advisory CA-1995-01 IP Spoofing Attacks andHijacked Terminal ConnectionshttpwwwcertorgadvisoriesCA-1995-01html

[3] Golomb RulerhttpenwikipediaorgwikiGolomb_ruler

[4] Linux Blind TCP Spoofing Vulnerabilityhttpwwwsecurityfocuscombid580info

[5] Linux TCP Random Initial Sequence Numbershttpkerneltraporgnode4654

[6] MSN Messenger Protocolhttpwwwhypotheticorgdocsmsn

[7] RFC 1948 - Defending Against Sequence NumberAttacks httptoolsietforghtmlrfc1948

[8] RFC 5961 - Improving TCPrsquos Robustness to BlindIn-Window Attackshttptoolsietforghtmlrfc5961

[9] RFC 793 - Transmission Control Protocolhttptoolsietforghtmlrfc793

[10] Stateful Firewall and Masquerading on Linux httpwwwpuschitzcomFirewallAndRoutersshtml

[11] sysctl Mac OS X Manualhttpsdeveloperapplecomlibrarymac

documentationDarwinReferenceManpagesman3

sysctl3htmlapple_refdocman3sysctl

[12] TCP Delayed Ack in Linux httpwikihsccomwikiMainInsideLinuxTCPDelayedAck

[13] S Chen R Wang X Wang and K ZhangSide-channel Leaks in Web Applications A RealityToday a Challenge Tomorrow In Proc of IEEESecurity and Privacy 2010

[14] M Dietz S Shekhar Y Pisetsky A Shu and D SWallach Quire Lightweight Provenance for SmartPhone Operating Systems In Proc of USENIXSecurity Symposium 2011

[15] M Egele C Kruegel E Kirda and G Vigna PiOSDetecting Privacy Leaks in iOS Applications InNDSS 2011

[16] W Enck P Gilbert B-G Chun L P Cox J JungP McDaniel and A N Sheth TaintDroid AnInformation-flow Tracking System for RealtimePrivacy Monitoring on Smartphones In OSDI 2010

[17] W Enck D Octeau P McDaniel and S ChaudhuriA Study of Android Application Security In Proc ofUSENIX Security Symposium 2011

[18] R Ensafi J C Park D Kapur and J R CrandallIdle Port Scanning and Non-interference Analysis ofNetwork Protocol Stacks using Model Checking InProc of USENIX Security Symposium 2010

[19] A P Felt H J Wang A Moshchuk S Hanna andE Chin Permission Re-delegation Attacks and

Defenses In Proc of USENIX Security Symposium2011

[20] Y Gilad and A Herzberg Off-Path Attacking theWeb In Proc of USENIX Workshop on OffensiveTechnologies (WOOT) 2012

[21] S Guha and P Francis Characterization andMeasurement of TCP Traversal through NATs andFirewalls In Proc ACM SIGCOMM IMC 2005

[22] S Jana and V Shmatikov Memento Learning secretsfrom process footprints In Proc of IEEE Security andPrivacy 2012

[23] L Joncheray A Simple Active Attack against TCP InProc of USENIX Security Symposium 1995

[24] G LEECH P RAYSON and A WILSON ProcfsAnalysis httpwwwnsagovresearch_filesselinuxpapersslinuxnode57shtml

[25] R Morris A Weakness in the 42BSD Unix TCPIPSoftware Technical report 1985

[26] Z Qian and Z M Mao Off-Path TCP SequenceNumber Inference Attack ndash How Firewall MiddleboxesReduce Security In Proc of IEEE Security andPrivacy 2012

[27] Z Qian Z M Mao Y Xie and F Yu Investigationof Triangular Spamming A Stealthy and EfficientSpamming Technique In Proc of IEEE Security andPrivacy 2010

[28] R Schlegel K Zhang X yong Zhou M IntwalaA Kapadia and X Wang Soundcomber A Stealthyand Context-Aware Sound Trojan for Smartphones InNDSS 2011

[29] D X Song D Wagner and X Tian Timing Analysisof Keystrokes and Timing Attacks on SSH In Proc ofUSENIX Security Symposium 2001

[30] M Vuagnoux and S Pasini Compromisingelectromagnetic emanations of wired and wirelesskeyboards In Proc of USENIX Security Symposium2009

[31] Z Wang Z Qian Q Xu Z M Mao and M ZhangAn Untold Stody of Middleboxes in CellularNetworks In SIGCOMM 2011

[32] P A Watson Slipping in the Window TCP ResetAttacks In CanSecWest 2004

[33] K Zhang and X Wang Peeping Tom in theNeighborhood Keystroke Eavesdropping onMulti-User Systems In Proc of USENIX SecuritySymposium 2009